On Fri, 26 Sep 2014, J.C. Cleaver wrote:
On Fri, September 26, 2014 1:14 pm, me at tdiehl.org wrote:
Hi Henrik,
On Fri, 26 Sep 2014, Henrik Størner wrote:
The xymon CGI interface runs via shell wrappers around the actual C cgi code (to set the environment properly), which means this would be an avenue for attack. Indeed, this one is nasty. Fortunately, most Linux systems I know of have /bin/sh linked to /bin/dash and hence are not vulnerable.
In light of this, I think it is about time we retire the shell-script wrappers from Xymon. I have written a replacement which is now checked into the 4.3.18 branch.
There is a preliminary release of 4.3.18 available on https://www.xymon.com/patches/ - feel free to try it out. I will release 4.3.18 over the weekend unless I find some problems with it.
NOTE: Replacing the shell script wrappers means that the cgioptions.cfg file is no longer processed as a shell script. The new wrapper works fine with the default version of cgioptions.cfg, but it you have modified it in a way that it relies on being processed by a shell, then it will break.
I just upgraded bash to the latest from RH/Centos and I can report that it breaks the data from machines using bbwin. They all went purple. To be sure my hunch was correct, I downgraded bash to bash-4.1.2-15.el6_5.1.x86_64 and the purple went away.
Is it expected that the fix you reference above will work with bbwin? I have not modified cgioptions.cfg.
That's very strange. Was there anything at all in the logs anywhere when that was happening? Does BBWin use anything special to communicate in to Xymon or is it simply submitting on port 1984 like normal?
I need to wait until the terabithia rpms are updated to upgrade xymon.
Regards,
I've posted a set of 4.3.18-0.0.7471.1 RPMs at http://terabithia.org/rpms/xymon/testing/ if you're curious to take a look, but I'm still testing myself and would use caution.
One note: The apache config file needs to be updated to allow FollowSymLinks in the /xymon-(sec)cgi/ directory, or all dynamic pages will return with a 403 error. The following line on upgrade should fix it:
perl -pe 's/Options ExecCGI Includes/Options ExecCGI FollowSymLinks Includes/' -i /etc/httpd/conf.d/xymon.conf && /sbin/service httpd graceful
I did some poking over the weekend and discovered that when I upgraded xymon a long time ago, I never looked at the associated .rpmnew files. After updating the various .rpmnew file including xymonserver.cfg and then applying the bash update all seems to be working normal.
In addition, I found that the default shell used in the xymon scripts is /bin/dash. So it looks like the bash exploit was never an issue for my systems.
Regards,
-- Tom me at tdiehl.org Spamtrap address me123 at tdiehl.org