/Reed( Kraft-)?Murphy(\.net)?/

the ramblings of a devops engineer and polymath

Mitigating CVE-2014-6271 "shellshock" in lighttpd with mod_magnet

Quick braindump:

  • a remote code vulnerability (CVE-2014-6271) in bash has been disclosed
  • bash will parse any environment variable value which begins with () { as a function, and continue parsing and executing any shell commands it encounters
  • env x='() { :;}; echo vulnerable' bash -c "echo" will print “vulnerable” if your bash is vulnerable
  • lots of Internet facing services put strings from requests into environment variables
  • curl -A "() { :; }; touch /var/www/oh_hai_webroot" http://eg.your.webserver/cgi-bin/foo.cgi

Using lighttpd’s mod_magnet, you can write arbitrary Lua scripts to do all kinds of things to requests. Here’s one that looks for the exploit’s signature, logs all the request details and returns a HTTP 500 error:

function is_shellshock(value)
    if not value then return false end
    local pattern = "()%s{"
    if string.find(value, pattern) then
        message_t = {}
        for k,v in pairs(lighty.request) do
            if v then
                table.insert(message_t, k)
                table.insert(message_t, v)
            end
        end
        for k,v in pairs(lighty.env) do
            if v then
                table.insert(message_t, k)
                table.insert(message_t, v)
            end
        end
        print("shellshock: " .. table.concat(message_t, ", "))
        return true
    end
    return false
end


for header,value in pairs(lighty.request) do
    if is_shellshock(value) then return 500 end
end

for thing,value in pairs(lighty.env) do
    if is_shellshock(value) then return 500 end
end

return

Then enable mod_magnet and run that Lua script on all requests:

server.modules += ( "mod_magnet" )
magnet.attract-raw-url-to = ( "/etc/lighttpd/magnets/shellshock.lua" )

Reed Kraft-Murphy

Read more posts by this author.