Self-diagnosis and repair of "shell-breaking vulnerabilities"

Self-diagnosis and repair of "shell-breaking vulnerabilities"

Self-diagnosis and repair of [Shell Cracking vulnerabilities] a Bash vulnerability, also known as a "Shell Cracking Vulnerability", can cause remote attackers to execute arbitrary code on the affected system, multiple System services can be affected: Web, ssh, gitlab, DHCP, and so on. The famous vulnerability CVE database issued two vulnerability numbers: CVE-2014-6271 and CVE-2014-7169 this is caused by the incomplete patches of the Bash official "CVE-2014-7169" vulnerability that was fixed for the first time by being bypassed (that is, the CVE-2014-7169 ). The methods for diagnosing and testing the two vulnerabilities are as follows:

CVE-2014-6271 vulnerability diagnosis test:

Open the terminal and enter env x = '() {:;}; echo vulnerable 'bash-C' echo hello'. Then, run the following command:

[Root @ localhost ~] # Env x = '() {:;}; echo vulnerable 'bash-C' echo hello'

Vulnerable

Hello

Indicates that the vulnerability exists. if:

[Root @ localhost ~] # Env x = '() {:;}; echo vulnerable 'bash-C' echo hello'

Bash: warning: x: ignoring function definition attempt

Bash: error importing function definition for 'X'

 

Hello

 

It indicates that the CVE-2014-6271 vulnerability has been fixed.

CVE-2014-7169 vulnerability diagnosis test:

Open the terminal and enter rm./echo; env X = '() {(a) => \ 'bash-C' echo date'; cat echo and run the following command:

[Root @ localhost ~] # Rm./echo; env X = '() {(a) => \ 'bash-C' echo date'; cat echo

Bash: X: line 1: syntax error near unexpected token '='

Bash: X: line 1 :''

Bash: error importing function definition for 'X'

Fri Sep 26 12:03:35 CST 2014

Successful real date results indicate that the CVE-2014-7169 vulnerability exists.

Currently, most of the operating systems have been deployed to fix these 2 vulnerabilities, but then some did not upgrade in time, especially for Patch bypass CVE-2014-7169 vulnerabilities.

Upgrade Method:

Ubuntu/Debian: apt-get upgrade

 

RedHat/CentOS/Fedora: yum update-y bash

We recommend that you restart the instance after the upgrade and perform the diagnosis again. Currently, the tested OS results are as follows: [for test time and source update problems, see your diagnosis results.]

OS CVE-2014-6271 CVE-2014-7169

Ubuntu repair

CentOS repair unrepaired

Unrepaired by Debian

Redhat repair and repair