Question about Shellshock Bypass

Question about Shellshock Bypass

The two days of Shellshock (CVE-2014-6271) vulnerability is brewing, related links:

Http://blog.knownsec.com/2014/09/bash_3-0-4-3-command-exec-analysis/ knows source code level analysis of chuangyu

Analysis of http://coolshell.cn/articles/11973.html cool shell Chen Hao

 

The specific details of the above two articles should be clearly stated.

In the analysis of Chen Hao, mentioned the official patch bypass, that is, CVE-2014-7169. The bypass code is as follows:

Env X = '() {(a) => \ 'sh-c "echo date"; cat echo

Let's talk about this bypass in my opinion:

This is a clever bypass, which is of little significance.

 

First let's talk about how Shellshock (CVE-2014-6271) is generated, PoC is as follows:

Env VAR = '() {:;}; echo Bash is vulnerable! 'Bash-c "echo bash Test"

First, env VAR = '() {:}; echo Bash is vulnerable! 'Is used to add a value to the environment variable named VAR and the value is

() {:;}; Echo Bash is vulnerable!

When the bash process starts initialization, it will parse the current environment variable. However, the function is not well parsed, resulting in command injection, resulting in echo Bash is vulnerable! Executed.

The core of this hole is that bash does not parse environment variables well when parsing them. As long as environment variables are contaminated, bash with vulnerabilities may execute pre-configured commands.

That is to say, attackers only need to pollute the environment variables. The echo bash Test executed in the following Bash is not required, no matter what content is executed, echo Bash is vulnerable! Executed.

Let's take a look at the PoC of the remote web server Attack:

Curl-H 'user-Agent: () {:;}; your command 'HTTP: // xxx/cgi-bin/xxx. sh

The attacker sent an HTTP packet with the User-Agent header () {:}; your command. The your command is a COMMAND injected by the attacker.

The User-Agent injected in the first half is equivalent to env VAR = '() {:;}; your command', followed by xxx. sh is equivalent to bash-c "echo Bash Test ".

Therefore, attackers can execute arbitrary commands.

 

 

 

Now let's look at this so-called bypass:

Env X = '() {(a) => \ 'sh-c "echo date"; cat echo

In fact, this can be written

Env X = '() {(a) => \ 'bash-c "dumped command"; cat dumped

For more information, see Chen Hao's analysis.

Cat dumped is only used to read files. It has nothing to do with this hole and can be removed.

Env X = '() {(a) => \ 'bash-c "dumped command"

Compare the first PoC:

Env VAR = '() {:;}; your command 'bash-c "WHATEVER"

As you can see, attackers do not inject any attack commands at all (without the your command ).

What attackers inject is only a> \, And what commands the server wants to execute cannot be controlled by attackers.

That's why I said that this so-called bypass is brilliant.

 

Of course, this is just my family's words. Maybe I don't want to understand some part of it. You are welcome to discuss it with me.