Hacker News new | past | comments | ask | show | jobs | submit login

This is a remote code execution, allowing attackers to run commands of their choice on the server with the user and privileges of the webserver.

Now, if one of the following is true (and thats quite common):

* The webserver has access to sensitive data

* The operating system has a bug that allows getting higher privileges as an unprivileged user without credentials

The machine is hacked and broken. (either the sensitive data can be extracted or the machine can be reconfigured)

This is why remote code execution is rated very high as a vulnerability.

A common way to prove this is by running a command that doesn't do any direct harm. uptime is quite usual, reading /etc/passwd is also quite usual.




I'm not sure about the mechanics of this, but at a minimum the webserver probably has access to the HTTPS private key for the subdomain, or at least has it in memory, since the request is shown to be running over HTTPS.


Reading the memory of another process is not allowed on modern OS for precisely that reason, so this would be another exploit. (http://en.wikipedia.org/wiki/Process_isolation) But the keys are most likely on disk, readable by the server ;).

Also, some setups are not prone to this: Twitter most likely uses an proxy terminating SSL and then forwards the request to a smaller webserver running the app. This one will not hold the keys.

Most larger webservers can also run the app workers with a different user than the webserver itself.


> Twitter most likely uses an proxy terminating SSL

https://en.wikipedia.org/wiki/SSL_termination_proxy


All web servers I've seen open the key files before dropping root privileges. These should never be readable by anything but root.


> Reading the memory of another process is not allowed on modern OS for precisely that reason, so this would be another exploit.

both Linux and Windows allow processes to read the memory of other processes running as the same user, via ptrace() and /proc/pid/mem on Linux, and via ReadProcessMemory() on Windows.

(how else could you ever debug anything?)


Yes, but PTRACE can be disallowed by the process and behaves differently on some kernels, e.g. Ubuntu hardened:

https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening... https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace

They usually only allow ptrace from parent to child or as root.

Also, wrt debugging, see the comment in the second link:

> If you are running a machine and do not plan on debugging the applications on this machine, you should turn this boolean on.


ReadProcessMemory() requires the process to have debug privileges.

(how else could you ever secure anything?)


Could this be ShellShock?


that is not ShellShock, but it can potentially exploit ShellShock, which points out how dangerous both this and ShellShock are.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: