Shellshock vulnerability repair

Shellshock vulnerability repair
Shell (Shellshock) vulnerability repair

 

Background:

More than two weeks have passed since the outbreak of the "Shellshock" Vulnerability (announced on April 9, September 24, 2014 ). I believe many people have heard of this hazard level of ten vulnerability, numbered as CVE-2014-6271, this vulnerability will cause remote attackers to execute arbitrary code on the affected system; in contrast, compared with the previous famous Vulnerability "heartbleed", there are only five, But the strange thing is that the current response of the "shell-breaking" vulnerability is not high. The "Shell Cracking" vulnerability actually exists as early as 1989, and it is extremely troublesome to fix it. So far, no bash patch can ensure 100% repair. We strongly recommend that you update the latest bash-related system patch in time to ensure the system is as secure as possible.

Vulnerability impact scope:

CERT has been verified to have a Bash version with CVE-2014-6271 vulnerability in Redhat, CentOS, Ubuntu, Fedor, Amazon Linux, MacOS 10.10, and has been widely used in various mainstream operating systems, this vulnerability has a scope of impact, but is not limited to the Unix, Linux, and MacOS of most Bash applications. There are high-risk threats to the data under these operating system management. Vulnerabilities are exploited through a variety of applications that interact with Bash, including HTTP, DNS, OpenSSH, and DHCP.

Vulnerability principle:

Currently, Bash uses the function name to call environment variables. In this case, the environment variables defined starting with "() {" are parsed into functions in the ENV command, bash does not exit, but continues to parse and execute shell commands. The core reason is that there is no strict restriction on the boundary in the input filter and no legal parameter judgment is made.

In the patch, the parameter validity is mainly filtered. the patch is in/bulitins/evalstring. the parse_and_execute function of c performs the boundary check of the legality of the input command to eliminate the possibility of code injection. In the exclusion, the two flags judgments are used to match the command type. In order to be able to determine the flags accurately, the SEVAL_FUNCDEF and SEVAL_ONECMD identifiers are pre-defined in the patch as the judgment basis. There are three patch updates for this vulnerability, which mainly filters out Input commands.

According to the vulnerability principle, the root cause of the vulnerability exists in the ENV command implementation of Bash. Therefore, the vulnerability itself cannot directly cause remote code execution. To achieve the purpose of remote code execution, you must use a third-party service program as the media. A third-party service program must meet many conditions to act as the media. Vulnerability name Shellshock code for CVE-2014-6271 vulnerability schematic can be seen as below:

Vulnerability verification method:

Currently, Bash scripts support user-defined functions by exporting environment variables. You can also pass User-Defined Bash functions to sub-processes. Generally, the code in the function body will not be executed, but this vulnerability will mistakenly execute commands out of braces.

###egg:[root@web3 ~]# env x=\'() { :;}; echo vulnerable\' bash -c \"echo this is a test\"vulnerablethis is a test

### The preceding execution result indicates that the Shellshock vulnerability exists.

Repair case:
Here we will demonstrate how to fix the Shellshock vulnerability in Redhat EnterPrise 5 in an offline environment. The detailed steps are as follows:

<Span style = "font-family: Georgia, Bitstream Charter, serif;"> 1. view the operating system and bash version: [root @ db01 ~] # Lsb_release-dDescription: Red Hat Enterprise Linux Server release 5.8 (Tikanga) [root @ db01 ~] # Bash-versionGNU bash, version 3.2.25 (1)-release (x86_64-redhat-linux-gnu) Copyright (C) 2005 Free Software Foundation, Inc.2. Open the official website to go to The CVE-2014-6271 Vulnerability Database page, find the corresponding version of the patch to download] # Ll bash-*-rw-r -- 1 root 1901644 Oct 10 bash-3.2-33.el5_10.4.x86_64.rpm-rw-r -- r -- 1 root 1380099 Oct 10 bash-debuginfo-3.2-33.el5_11.4.x86_64.rpm4, install patches [root @ db01 ~] # Rpm-ivh bash-debuginfo-3.2-33.el5_11.4.x86_64.rpm warning: bash-debuginfo-3.2-33.el5_11.4.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 37017186Preparing... ######################################## ### [100%] 1: bash-debuginfo ##################################### ###### [100%] [root @ db01 ~] # Rpm-ivh bash-3.2-33.el5_10.4.x86_64.rpm -- forcewarning: bash-3.2-33.el5_10.4.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID e8562897Preparing... ######################################## ### [100%] 1: bash ####################################### #### [1, 100%] </span> [root @ db01 ~] #

So far, the vulnerability has been fixed.
Vulnerability fix verification:

After the repair is completed, run the following command to verify that the vulnerability has been fixed:

[root@db01 ~]# env x=\'() { :;}; echo vulnerable\' bash -c \"echo this is a test\" this is a test[root@db01 ~]#[root@db01 ~]# env -i X=\'() { (a)=>\\\' bash -c \'echo date\'; cat echodateFri Oct 10 18:28:34 CST 2014[root@db01 ~]#

Patch attachment:

Bash-3.2-33.el5_10.4.x86_64-

Bourne-again shell needs to be updated

[◆] [Hello] [◆]

.
Bourne-again shell is a Shellshock vulnerability patch. We recommend that you update it,
.
The Bourne Shell is a part of a standard system application in multiple types of UNIX operating systems. It has a security vulnerability when creating files in the/tmp directory. When redirecting a file under the/tmp directory, the system does not check whether the file exists. This will cause a symbolic connection attack. You can use a redirection script to write files.
.
Reference link:
.
Bbs.feng.com/..341164
.
If valid, click "satisfactory answer" in the upper-right corner of the phone. By the way, it is better to click "awesome" and "high praise.

Is linux server traffic abnormal recently? A suspicious process was found by the Query Process. Is it hacked?

Run the command ps-auxwe to view the absolute path of the process.
Ls-l/proc/PID/exe. Which file can be viewed?