Bash Shellshock vulnerability simply explained-vulnerability warning-the black bar safety net

2014-10-17T00:00:00
ID MYHACK58:62201454734
Type myhack58
Reporter 佚名
Modified 2014-10-17T00:00:00

Description

Preface

The national day before the analysis of this vulnerability,see the security reference for readers to discuss,made a simple Bash Shellshock vulnerability description.

Vulnerability overview

Vulnerability the principle of popular point that is to bash the language in the definition of a function when there is no strict filtering lead to code execution,similar to php language

eval("function func1(){ return 1 }; echo 2")

The program in the definition of the complete function func1 continue to under perform,ultimately resulting in the echo 2 successful command injection.

The use of the range

The exploit requires two conditions

The first bash environment variable controllable injection command

The second sub-process starts to trigger a defined function of the process

Several use scenarios

Apache cgi using bash language

Apache cgi Python ,perl and other languages and automated sub-process,e.g., Python code os. system(“id”)

Git/Svn/Rsync, etc. taking orders of the ssh environment,can break through the restrictions

Dhcp client

Some of the stmp mail server, etc. for the above two conditions

CVE-2 0 1 4-7 1 6 9 poc to explain

env X=‘() {:;}; echo vulnerable’ bash –c "echo this is a test"

the env command is setting an environment variable X and perform the following statement,open a bash sub-process to trigger the vulnerability,

(){}Is an anonymous function,in the middle of:;the colon is equivalent to nop,the function body is not wrapped is a must have

No.,:;is a bash function body of the minimum element.

[1] [2] next