"Broken Shell" (Shellshock) Bug fix

"Broken Shell" (Shellshock) bug fix

Background:

          distance from" broken Shell "(Shellshock) A loophole broke out in the past two weeks (announced September 24, 2014). I'm sure a lot of people have heard of this. The vulnerability rating of 10, which is numbered cve-2014-6271, causes a remote attacker to execute arbitrary code on the affected system, compared with the last known vulnerability "bleeding heart" only five, but strangely, "broken shell" The vulnerability is not very high at the moment. The "shell" loophole actually existed as early as 1989, and the repair was extremely troublesome. And so far no bash patch can guarantee 100% repair, it is strongly recommended to update the latest bash-related system patches in order to make the system as secure as possible.

Vulnerability Impact Range:

Cert has now verified that there are cve-2014-6271 vulnerabilities in bash versions of Redhat, CentOS, Ubuntu, Fedor, Amazon Linux, MacOS 10.10, And because of the widespread use of bash in mainstream operating systems, the scope of this vulnerability includes, but is not limited to, most of the applications of Bash UNIX, Linux, MacOS, and high-risk threats for data managed by these operating systems. Exploits can be exploited through a variety of applications that interact with bash, including HTTP, DNS, OpenSSH, DHCP, and so on.

Vulnerability principle:

The environment variables currently used by Bash are called through the function name, causing the vulnerability to occur when the environment variable defined at the beginning of "() {" Is parsed into a function in the command env, and bash executes without exiting, but continues parsing and executing the shell command. The core reason is that there is no strict restriction on the boundary in the input filter, nor does it make the legal parameter judgment.

In the patch of the main parameters of the legality of filtering, the patch in the/bulitins/evalstring.c parse_and_execute function of the input command carried out the boundary detection of legality, the possibility of code injection is excluded. In the exclusion of the main use of the flags of the two judgments and the command of a type match, in order to be able to judge the flags accurately, in the patch pre-defined seval_funcdef, seval_onecmd Two identification as a basis for judgment. There are three patch updates for this vulnerability, with the main input command filtering.

From the principle of the loopholes described, the root cause of the vulnerability exists in Bash's env command implementation, so the vulnerability itself can not directly lead to remote code execution. If the purpose of remote code execution is achieved, it is necessary to use a third-party service program as a medium to be implemented, and a third-party service program must meet many conditions before it can act as a role for this medium. The vulnerability name Shellshock code for the cve-2014-6271 vulnerability schematic is shown below:

Vulnerability Authentication method:

The current bash script supports custom functions either by exporting environment variables or by passing custom bash functions to child-dependent processes. The code in the general function body is not executed, but the vulnerability would incorrectly execute a command outside the "{}" curly brace.

# # #egg: [[email protected] ~]# env x=\ ' () {:;}; echo vulnerable\ ' bash-c \ "Echo this was a test\" Vulnerablethis is a test

# # #如上执行结果表明是存在Shellshock漏洞的.

Fix Case:
here will demonstrate the offline environment to repair the Redhat EnterPrise 5 Shellshock Vulnerability, detailed steps see as follows:

<span style= "Font-family:georgia, Bitstream Charter, serif;" >1, viewing operating system and bash version: [[email protected] ~]# lsb_release-ddescription:red Hat Enterprise Linux Server release 5.8 (T Ikanga) [[email protected] ~]# bash-versiongnu Bash, version 3.2.25 (1)-release (X86_64-REDHAT-LINUX-GNU) Copyright (C) 2005 free software Foundation, INC.2, open the official website into the cve-2014-6271 Vulnerability Database page, find the corresponding version of the patch download https://access.redhat.com/ security/cve/cve-2014-62713, the vulnerability patch is downloaded after the following two files [[email protected] ~]# ll bash-*-rw-r--r--1 root root 1901644 Oct 10 18:10 bash-3.2-33.el5_10.4.x86_64.rpm-rw-r--r--1 root root 1380099 Oct 18:10 bash-debuginfo-3.2-33.el5_11.4.x86_64. RPM4, installing patches [[email protected] ~]# RPM-IVH bash-debuginfo-3.2-33.el5_11.4.x86_64.rpm Warning: Bash-debuginfo-3.2-33.el5_11.4.x86_64.rpm:header V3 DSA Signature:nokey, key ID 37017186Preparing ... ################ ########################### [100%] 1:bash-debuginfo ########################################### [100%][[email  protected] ~]# rpm-IVH bash-3.2-33.el5_10.4.x86_64.rpm--forcewarning:bash-3.2-33.el5_10.4.x86_64.rpm:header V3 DSA Signature:nokey, Key ID e8562897preparing ... ########################################### [100%] 1:bash ############################## ############# [100%] </span>[[email protected] ~]#

the vulnerability has now been repaired.
bug fix Verification:

After the repair is completed, the following command verification is performed, and the results indicate that the vulnerability has been fixed:

[[Email protected] ~]# env x=\ ' () {:;};  echo vulnerable\ ' bash-c \ "Echo this was a test\" This is a test[[email protected] ~]#[[email protected] ~]# env-i x=\ ' () {(a) =>\\\ ' bash-c \ ' echo date\ '; Cat Echodatefri Oct 18:28:34 CST 2014[[email protected] ~]#

Patch Attachments :

Bash-3.2-33.el5_10.4.x86_64 -

"Broken Shell" (Shellshock) Bug fix