About Bash's Shellshock vulnerability

Source: Internet
Author: User
Tags cve

This vulnerability is described as follows:

Shellshock (cve-2014-6271, cve-2014-6277, cve-2014-6278, cve-2014-7169, cve-2014-7186, CVE-2014-7187) is a Vulnerability in GNU ' s bash shell, gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in since Tue Sep @ 2014:1:32pm EST (see patch history), your ' re most definitely vulne Rable and has been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.

There is also a script to test this vulnerability:

shellshock_test.sh

As for the principle, looked at half a day, probably a little understand:

The key to the vulnerability is that bash puts defined functions into the env, roughly in the following format:

function Echo  -envgrep -A1 foofooecho  Bar}

In that case, is it possible to put a fake function in it? The answer is, yes! What's more, the key here is that when it executes the function, it does not detect the full "{}" pair, but simply executes all the bash code after "{"!!! Also includes the code you put in ... So why not put something in there and let it execute?

So back to the word, isn't it done without bash? This is theoretically the case. However, there are always accidents, for example, when you are programming, you use Systcall and so on, to run the shell commands. Your program inherits the environment variables of the parent program, and the Systemcall space that you call inherits the environment variables of your program, and then it may incidentally execute the code that is injected into the environment variable.

Here is a scenario for the 360 simple test sh provided:

1. The server side has a shell script, the content is arbitrary, can be as follows:

#!/bin/BashEcho "content-type:text/html"Echo ""Echo ''Echo ''Echo '<meta http-equiv= "Content-type" content= "text/html; charset=utf-8" >'Echo '<title>PoC</title>'Echo ''Echo '<body>'Echo '<pre>'/usr/bin/EnvEcho '</pre>'Echo '</body>'Echo ''Exit0

2. At this time, the client can use the browser, CURL,WGET,NC ... Wait for the tool to connect to your server and trigger this script. Curl, for example, can see:

3. Note that this is the normal situation!!! The normal situation is the display, it shows!!! However, the Web server put the HTTP header into the ENV first. So, with the following access (NC and wget similar, give the header on the line):

4. Cough. Then you are happy to see the following situation.

About Bash's Shellshock vulnerability

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.