Why is the Bash Security Vulnerability a global server attack?

Why is the Bash Security Vulnerability a global server attack?

On September 24, 2014, Bash experienced a critical security vulnerability, numbered CVE-2014-6271, that could cause remote attackers to execute arbitrary code on the affected system. GNU Bash is a Unix Shell compiled for the GNU program. It is widely used in Linux systems. Its initial function is only a simple terminal-based command interpreter. This means that at least 1.5 million of Hosts around the world will be affected, and Android and apple in the Linux/Unix world will not be spared.

The ShellShock severity is defined as 10 (highest), and The OpenSSL heartbleed vulnerability that broke out in April this year is only 5!

Gitlab-shell is affected by Bash CVE-2014-6271 Vulnerability

Linux security vulnerability exposure Bash is more serious than heartbleed

The solution is to upgrade Bash. Please refer to this article.

Vulnerability description:

GNU Bash 4.3 and earlier versions have security vulnerabilities when evaluating some constructed environment variables. Adding additional strings to the function definitions in the environment variable values triggers this vulnerability, attackers can exploit this vulnerability to change or bypass environmental restrictions to execute Shell commands. Some services and applications allow unauthenticated remote attackers to provide environment variables to exploit this vulnerability. This vulnerability is caused by the creation of environment variables with constructed values before Bash Shell is called. These variables can contain code and will be executed immediately after the Shell is called.

Impact:

This shell-breaking vulnerability is indeed a very dangerous vulnerability, which is better than the heartbleed vulnerability that broke out in April 8 this year. However, the detection methods of Shell-breaking vulnerabilities are complex and different component testing methods are different, it is difficult to evaluate the impact, but it is certain that Bash <= 4.3 is affected, While Bash is used on at least tens of billions of devices, because Bash is the most popular Linux Shell.

The ZoomEye team from chuangyu has obtained some impact conclusions through combined detection in several ways.

First group of data

After a special test by ZoomEye, it was found that 13254 Internet systems of a domestic manufacturer were affected by the shell-breaking vulnerability and could be directly remotely attacked.

Second group of data

After ZoomEye's Fuzzing test, about 142000 of hosts are affected globally. Note that due to incomplete Fuzzing rules, the number of hosts will certainly be incomplete, however, this number at least shows a large area that can be exploited by direct remote attacks.

Group 3

We see masscan's official release of the message: http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html their global probe conclusion: at least 1.5 million affected, and this verification rule is very simple, just directly requesting port 80 of the host, we are also verifying this conclusion.

From these groups of data, we can see that the probe methods are different. If we continue to expand, we can gradually draw a clearer picture of the impact (direct remote attacks can be performed), knowing that chuangyu will continue.

Shell Cracking vulnerabilities:

1. The hazard level is 10 (no more high), and the heart bleeding is so severe as 5;
2. Bash is broken. It has survived for more than 20 years in the Linux/Unix world;
3. The shell worm has been infected;
4. Although this is a problem in the Linux/Unix world, do not forget that Android and apple are both (requires in-depth verification). Of course Windows is okay this time;
5. The exploitation of Shell-breaking vulnerabilities is more troublesome than heartbleed vulnerabilities. No wonder the impact is much lower. It is understandable that many media have not paid much attention to it, but it is absolutely powerful.

Where this vulnerability may affect

Note: The following reference from: https://raw.githubusercontent.com/citypw/DNFWAH/master/4/d4_0x07_DNFWAH_shellshock_bash_story_cve-2014-6271.txt

The conclusion is verified.

1. In SSHD configuration, ForceCommand is used to restrict remote users from executing commands. This vulnerability can bypass the restriction to execute any commands. Some restrictions on the deployment environment of Git and Subversion Shell will also be similar, OpenSSH is usually used normally no problem.
2. The Apache server uses mod_cgi or mod_cgid. If the CGI script is in BASH or runs in a sub-Shell, it will be affected. Use C's system/popen in the sub-Shell, and OS in Python. system/OS. this vulnerability affects the use of open/system in popen, PHP in system/exec (CGI Mode), and Perl.
3. PHP script execution in mod_php will not be affected.
4. DHCP clients can exploit this vulnerability to call Shell scripts to receive environment variable parameter values of remote malicious servers.
5. The daemon and SUID programs may also be affected to execute Shell scripts in the environment where environment variables are set.
6. Any other program that executes Shell scripts using Bash as the interpreter may be affected. If the Shell script is not exported, it will not be affected.

For vulnerability verification, run the following command to check whether the system has this vulnerability:

CVE-2014-6271 Test Method:

1. Env x = '() {:;}; echo vulnerable' bash-c "echo this is a test"

Note: CVE-2014-6271 vulnerability source code level analysis, please refer:

After patching, it was bypassed, the latest test method for CVE-2014-7169:

1. $ Env-I X = '() {(a) => \ 'bash-C' echo date'; cat echo

If the execution result is as follows, the vulnerability still exists:

1. Bash: X: line 1: syntax error near unexpected token '='
2. Bash: X: line 1 :''
3. Bash: error importing function definition for 'X'
4. WedSep2414: 12: 49 PDT 2014.

There is no most reliable general-purpose repair solution yet. Pay attention to the next Bash upgrade.

Source: geek Park
Original: http://www.geekpark.net/topics/211035 Author: cosine

This article permanently updates the link address: