Broken shell vulnerability patches to bypass analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201454161
Type myhack58
Reporter 佚名
Modified 2014-09-28T00:00:00


During the day busy with vulnerability response, Server, test and fix, the vulnerability affects the scope of Statistics and other things, until the night finally have time to analyze.

Official first patch main changes:

1, The parameter types and the number of constraints, from the annotations can be seen:

define SEVAL_FUNCDEF 0x080 / only allow function definitions / #define SEVAL_ONECMD 0x100 / only allow a single command /

2, builtins/evalstring. c file in parse_and_execute added to the type judgment:

if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) { Not illegal, not a function definition break; }

... // Logic true indicates that the parameter is unlawful if (flags & SEVAL_ONECMD) break;

From the above you can see the patch idea: if not a function definition, command command more than a It is judged to be illegal. What is considered a legitimate yet, Bypass the POC gives the answer:

env X='() { (x)=>\' ./ bash-c 'my echo hello'

As long as the body of the function satisfies () { hit the head on the line. And this POC also meets a single command-command, because no show“;”the.

The Bash Shell in eval when it came to grammar issues (x)= is ignored. Then came focus, a new bash process to execute this command:

>\my echo hello

Then the path generated my file, the content is hello.

Bash syntax is extremely weird, let us one by one analysis.

The character \ is a transfer of character, when the retain followed by the text, and \my the actual is equal to the string of my, if not\, the new bash process will put my as command. Because if you're in a terminal just type \and press Enter, the current bash process will block waiting for you to enter, in the POC, the“input”is my.

Character > is the legendary redirect, suppose you want to put A process write the output to a file B, is written as follows:

A > B

In fact, you wrote a > B A form can also, do not believe try:

[lu4nx@lx-pc /tmp]$ > hi date [lu4nx@lx-pc /tmp]$ cat hi 2 0 1 4 year 0 9 month 2 7 day Saturday 0 1:0 6:0 6 CST

This prefix along the lines I was also the first time to see this analysis of the Shell source code, see its design is extremely like a Lisp parser, I think this wording is taken care of Lisper, because Bash structure is basically an interactive REPL and eval, and the Lisp parser core is the eval until I saw the Shell of the Yacc syntax analysis parse. y after, I understood why. The redirection syntax is defined as follows:

redirection: '>' WORD { redir. filename = $2; $$ = make_redirection (1, r_output_direction, redir); }

Here, the output file is taken from $2, and $2 in this section represents the parameters of the WORD, if the input statement is > A B, then WORD of the argument is A ;If the input statement is A > B, then the WORD of the argument is B.

[1] [2] next