4

I am wondering whether my server could be vulnerable to ShellShock (or better: was vulnerable). The shell test reveals that I'm vulnerable:

$ export evil='() { :;}; echo vulnerable'; bash -c echo;
vulnerable

I don't need CGI for any of my websites, but just to be sure, I tried grep -i "cgi" * on my Apache config files folder. Unfortunately I have discovered that some of my sites have CGI entries anyway, like this:

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
            AllowOverride None
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            Order allow,deny
            Allow from all
    </Directory>

However, there are no files in /usr/lib/cgi-bin

$ ll /usr/lib/cgi-bin/
total 0

And following a test, I get a HTTP 403 error:

$ curl -i -X HEAD "http://example.com/cgi-bin/" -A '() { :;}; echo "Warning: Server Vulnerable"'
HTTP/1.1 403 Forbidden
Date: Thu, 25 Sep 2014 22:22:32 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1

Can I safely conclude that my server is not vulnerable to a CGI attack in this case? If not, would a different curl command show the vulnerability? And would it be sufficient to remove the /cgi-bin/ definitions from Apache config files?

Thomas Weller
  • 3,246
  • 3
  • 21
  • 39

1 Answers1

5

No, you can't conclude that from the 403 error. If the server returns a 403 error for a directory, that just means you aren't allowed to list the directory contents, or that the directory has an index page that you aren't allowed to access; this is very common for cgi-bin directories.

You can, however, conclude that you are not vulnerable because there are no files in the /cgi-bin/ directory: any attempt to invoke the "shellshock" vulnerability will simply result in Apache responding to the attacker with a "404 Not Found" error.

You can (and probably should) disable CGI, but that's simply because disabling unused functionality is good security practice in general, rather than being in response to any specific threat.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • 2
    From I've seen so far, not only cgi scripts are vulnerable, they're just the easiest target. Every page on your server can run a bash script, and therefor might compromise the system. You need to make sure you're not using bash in any server endpoint (php, java, etc.) – marmor Sep 28 '14 at 06:59