Today burst a bash rce loophole, powerful. Look at the analysis of foreigners, feel the need to write their own understanding of this loophole.
First, the problem results from a command env.
Prototype:
env [OPTION] ... [Name=value] ... [COMMAND [ARGS] ...]
That's what man says:
Display, set, or remove environment variables,run a command in a modified environment.
My understanding is that using the key=value of the ENV command will first change the environment variable key, if it is not created temporarily, notice that this is a temporary change to the environment variable. It then executes the contents following value as a command, similar to the eval in PHP.
The test is as follows:
As you can see, this command can be achieved by temporarily modifying an environment variable while also executing a command.
The spread of exp on the web usually comes with a user-agent field followed by a string. Strictly speaking, the user-agent here can be completely replaced with other HTTP fields.
Note that the env itself is not a cause of the vulnerability, the essence of which is code injection.
In the code snippet of the processing parameters in Bash Source:
This code is used when parsing anonymous functions, and we can use anonymous functions to achieve the purpose of execution:parse_and_execute. The string here is the value,name of the environment variable, which is the key value of the environment variable. Because it is not filtered, it is passed directly to the temp_string and then sent to the parse_and_execute for execution.
That is, the anonymous function should have ended after it was finished, but it continued to execute the following arguments in bash.
For example: Test= () {:;}; /bin/cat/etc/passwd
/BIN/CAT/ETC/PASSWD is also executed when an environment variable is imported into bash.
The relationship with CGI is:
For CGI scripts, the "Key-value" in the HTTP protocol becomes the "Environment variable = value" in the shell.
Host ("www.example.com", as Remote_host)
Header value ("Custom-header-value", as Http_custom in this example)
Server protocol ("http/1.1", as Server_protocol)
The env is used when importing client information into system environment variables. So, we can attack the server by constructing the attack vectors on the client. From the CGI processing of HTTP parameters, it is possible to use which field.
The local test process is as follows:
To construct a vulnerable CGI:
Visit: Http://10.10.10.132/cgi-bin/test
Here I also use user-agent to test:
As a result, after sending the request, the server will burst into 500 errors:
But this time echo AAA >/tmp/test did.
Verify under:
As you can see, the server randomly complains, but our code executes successfully.
Exp:
Use NC to do a bounce shell just fine, it's very powerful.
But this loophole is not good to do batch, a thought is the crawler + scan for CGI link acquisition. Of course, there is a relatively no brain, that is------------------------------------directly grasp the search engine.
Above for personal understanding, welcome to discuss and wrong correction.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
