This vulnerability is described as follows:
Shellshock (cve-2014-6271, cve-2014-6277, cve-2014-6278, cve-2014-7169, cve-2014-7186, CVE-2014-7187) is a Vulnerability in GNU ' s bash shell, gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in since Tue Sep @ 2014:1:32pm EST (see patch history), your ' re most definitely vulne Rable and has been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.
There is also a script to test this vulnerability:
shellshock_test.sh
As for the principle, looked at half a day, probably a little understand:
The key to the vulnerability is that bash puts defined functions into the env, roughly in the following format:
function Echo -envgrep -A1 foofooecho Bar}
In that case, is it possible to put a fake function in it? The answer is, yes! What's more, the key here is that when it executes the function, it does not detect the full "{}" pair, but simply executes all the bash code after "{"!!! Also includes the code you put in ... So why not put something in there and let it execute?
So back to the word, isn't it done without bash? This is theoretically the case. However, there are always accidents, for example, when you are programming, you use Systcall and so on, to run the shell commands. Your program inherits the environment variables of the parent program, and the Systemcall space that you call inherits the environment variables of your program, and then it may incidentally execute the code that is injected into the environment variable.
Here is a scenario for the 360 simple test sh provided:
1. The server side has a shell script, the content is arbitrary, can be as follows:
#!/bin/BashEcho "content-type:text/html"Echo ""Echo ''Echo ''Echo '<meta http-equiv= "Content-type" content= "text/html; charset=utf-8" >'Echo '<title>PoC</title>'Echo ''Echo '<body>'Echo '<pre>'/usr/bin/EnvEcho '</pre>'Echo '</body>'Echo ''Exit0
2. At this time, the client can use the browser, CURL,WGET,NC ... Wait for the tool to connect to your server and trigger this script. Curl, for example, can see:
3. Note that this is the normal situation!!! The normal situation is the display, it shows!!! However, the Web server put the HTTP header into the ENV first. So, with the following access (NC and wget similar, give the header on the line):
4. Cough. Then you are happy to see the following situation.
About Bash's Shellshock vulnerability