CVE: 2014-6271, CVE: 2014-7169 patch Solution Analysis

Directory

1. The first patch solution officially provided by RedHat 2. The temporary patch solution officially provided by RedHat 3. The second patch solution officially provided by RedHat

 

1. The first patch solution officially provided by RedHat

0x1: patch repair Principle

Patch repair focuses on the following:

1. added two macro definitions in builtins/common. h to restrict the parameters that allow input and resolution of environment variables. This is a parameterized defense concept.

2. In the parse_and_execute () function of builtins/evalstring. C, the boundaries of the environment variable parameters to be parsed are checked.

The type is defined in command. h and the type of the command is defined.

/Command. h

The solution of patch is to determine the type of the input parameter. If the parameter is not a cm_function_def, that is, not a complete function definition instruction, code injection is generated.

0x2: bypass problems after patching

The key point of patch fixing code is to judge the type of input parameters, that is

We can reverse-think from this point. If we can set the command type to cm_function_def, we can bypass the patch code.

PoC

env X=‘() { (a)=>\‘ sh -c "echo whoami"; cat echo 

Construct a half-open semi-closed "{" to forge an unfinished function definition. With this half-open Function Definition "{", when detecting the logic code, command-> type is identified as cm_function_def, and the purpose of code execution is re-exposed during code parsing and execution. A typical bypass Logic

Relevant link:

http://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-012

 

2. Temporary patch solution officially provided by RedHat

A workaround is available which can mitigate this issue without patching bash. Please note that this workaround has only been subjected to very limited testing, and it may have 
unintended consequences

0x1: Defense ideas for temporary solutionsBash_ld_preload.c

#include <sys/types.h>#include <stdlib.h>#include <string.h>static void __attribute__ ((constructor)) strip_env(void);extern char **environ;static void strip_env(){    char *p,*c;    int i = 0;    for (p = environ[i]; p!=NULL;i++ )     {        c = strstr(p,"=() {");        if (c != NULL)         {            *(c+2) = ‘\0‘;        }        p = environ[i];    }}

Compile it:

gcc bash_ld_preload.c -fPIC -shared -Wl,-soname,bash_ld_preload.so.1 -o bash_ld_preload.so

Copy bash_ld_preload.so to/lib:

cp bash_ld_preload.so /lib/

Modify the Apache. So load path

vim /etc/init.d/httpdLD_PRELOAD=/lib/bash_ld_preload.soexport LD_PRELOAD

Restart Apache

service httpd restart

Continue bypass POC attacks

After the patch is loaded, the. So file filters and cleans the input malformed parameters, and achieves the purpose of repairing the malformed parameters.

0x2: Risks of temporary solutions

This scheme may cause the program that relies on Bash commands for udfs to become invalid. If the program on the machine uses the bash script command and contains the "() {" function definition, or for other purposes, it will be deleted directly, with a high risk factor. The official suggestion is that this temporary scheme should be used with caution.

Relevant link:

http://seclists.org/oss-sec/2014/q3/650http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-048

 

3. The second patch solution officially provided by RedHat

0x1: patch repair Principle

1. parameterized definition of input parameters

2. Strip the input parameters.

3. determine the legality of parameters after border strip

Through this solution, we can effectively defend against half-open code injection.

0x2: risks of the patch Solution

After code evaluation, the RedHat solution should have no obvious problems and can be used as a stable patch upgrade solution.

Relevant link:

https://rhn.redhat.com/errata/RHSA-2014-1306.html

 

Copyright (c) 2014 littlehann All Rights Reserved

 

CVE: 2014-6271, CVE: 2014-7169 patch Solution Analysis