Bash 3.0-4.3 Command Execution Vulnerability Analysis (by @ lulu4nx)

Bash 3.0-4.3 Command Execution Vulnerability Analysis (by @ lulu4nx)

Reports on this vulnerability:

• Http://www.freebuf.com/news/44805.html
• Http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html

• Gitlab-shell is affected by Bash CVE-2014-6271 Vulnerability

•  

  Linux security vulnerability exposure Bash is more serious than heartbleed

•  

  The solution is to upgrade Bash. Please refer to this article.

Test

Run the following code in Bash Shell:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output is:

vulnerablethisis a test

Indicates a vulnerability exists. After a patch is installed, the following error is returned:

Bash: Warning: x: ignoring function definition attemptbash: 'X' function definition import error this is a test

Principle Analysis

 

Variables can be defined in Shell, and a variable named x is defined in POC. The content is a string:

(){:;}; echo vulnerable

According to the vulnerability information, the vulnerability occurs when Shell executes the command after the function body when processing the function definition. But here the value of x is a string. How does it convert to a function.

In reality, this is related to Bash implementation. In Bash, a function is defined in the format:

function function_name(){    body;}

When Bash initializes environment variables and the syntax parser finds parentheses and braces, it is considered as a function definition:

[lu4nx@lx-pc ~]$ say_hello='() { echo hello world; }'[lu4nx@lx-pc ~]$ export say_hello[lu4nx@lx-pc ~]$ bash -c 'say_hello'hello world

The above code is in the new Bash process,say_helloAs a function in the new environment, its evolution process is as follows:

1. The new bash scans the environment variables at the beginning.say_helloParentheses and braces appear, which are considered to be a function definition.

2. bashsay_helloAs the function name and its value as the function body

The typeset command can list all variables and function definitions in the current environment. Let's use typeset to see how this string becomes a function. Continue withsay_helloFunction:

[lu4nx@lx-pc ~]$ bash -c 'typeset'| fgrep -A 10 say_hellosay_hello (){    echo hello world    }

A Bash process is started and typeset is executed. typeset returns all definitions in the current environment (New Environment). It is clear that say_hello is converted into a function.

Cause of vulnerability

The vulnerability is that Bash executes the statement after the function definition after parsing the function body. Why.

By combining the patches, I analyzed the Bash source code and called it during Bash initialization.builtins/evalstring.cInparse_and_executeFunction. Yes, that is, when Bash initializes the environment, it callsevalFunction, which parses string input and executes it.

Continue watchingparse_and_executeThe key points are as follows:

218elseif(command = global_command)219{220struct fd_bitmap *bitmap;

It determines whether the command is defined as global. After the new bash process is started,say_helloNot only is it parsed into a function, but it also becomes global:

[lu4nx@lx-pc data]$ bash -c 'typeset -f'say_hello (){    echo hello world    }    declare -fx say_hello

declareThe command is embedded in Bash and used to limit the attributes of variables.-f indicatessay_helloIs a function, represented by the-x Parametersay_helloIt is converted into an environment variable by export.say_helloIs a global function.

In fact, Bash actually wants to initialize environment variables and define some functions at startup, and the initial method isVariable name = ValueSuch a value assignment statement is executed once using eval. If a function definition occurs, it is converted into a function, and you do not want to let it do anything else, however, when scanning the function definition, it accidentally executed the following command when converting it into a function. This is not actually an eval error, this is not strictly considered during Syntax Parsing, so the patch adds such a sentence to determine the validity of the function body:

if((flags & SEVAL_FUNCDEF)&& command->type != cm_function_def)

Supplement

In addition, many people are confused about the POC{ :; }The colons and semicolons in this sentence are used as the Terminator, while the colons mean nothing, similar topassFor more information, see the Bash official documentation.

Knowledge Source: blog.knownsec.com/2014/09/bash_3-0-4-3-command-exec-analysis/

This article permanently updates the link address: