shellshock_记住shellshock漏洞

shellshock

Sold) type of OS Command Injection was reported. The Shellshock vulnerability, also known as CVE-2014–6271, allowed attackers to inject their own code into Bash using specially crafted environment variables. It was a horror. But a horrific beautiful vuln.

报告了旧的OS命令注入类型。 Shellshock漏洞(也称为CVE-2014–6271 )使攻击者可以使用特制环境变量将自己的代码注入Bash 。 真是恐怖。 可是一个可怕的美丽伤口。

Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to(indirect) child processes. Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment. The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition.

Bash不仅支持将shell变量导出，而且还通过过程环境将shell函数导出到其他bash实例(间接)到子进程。 当前的bash版本使用以函数名称命名的环境变量，以及在变量值中以“(){”开头的函数定义，以在环境中传播函数定义。 发生此漏洞是因为bash在处理函数定义后不会停止； 它会继续按照函数定义来解析和执行shell命令。

For example, an environment variable setting VAR=(){ignored;}/bin/id would execute /bin/id when the environment is imported into the Bash process. The caveat is that the PATH variable could not have been set up yet, and Bash could crash after executing /bin/id, but the damage has already happened at this point.

例如，当环境导入到Bash进程中时，设置VAR=(){ignored;}/bin/id的环境变量将执行/bin/id 。 需要注意的是，尚未设置PATH变量，并且Bash在执行/bin/id之后可能崩溃，但是此时损坏已经发生。

The fact that an environment variable with an arbitrary name could be used as a carrier for a malicious function definition containing trailing commands made this vulnerability particularly severe, enabling network-based exploitation.

具有任意名称的环境变量可以用作包含尾随命令的恶意功能定义的载体，这一事实使此漏洞特别严重，从而可以进行基于网络的利用。

Even scarier, the NIST vulnerability database has rated this vulnerability “10 out of 10” in terms of severity, and there were claims that Shellshock attacks could have top one Billion. Shellshock-targeting DDoS attacks and IRC bots were spotted less than 24 hours after news about Shellshock went public last week!.

NIST漏洞数据库甚至更可怕，其严重程度将其评为“十分之十” ，并且有人声称Shellshock攻击可能排名前十亿 。 在上周有关Shellshock的消息公开后不到24小时，就发现了针对Shellshock的DDoS攻击和IRC机器人！ 。

很讨厌的东西，对吧？ (Pretty nasty stuff, huh?)

了解Bash Shell (Understanding the Bash Shell)

To understand this vulnerability, we need to know how Bash handles functions and environment variables. The GNU Bourne Again shell (BASH) is a Unix shell and command language interpreter. It was released in 1989 by Brian Fox for the GNU Project as a free software replacement for the Bourne shell (which was born back in 1977).

要了解此漏洞，我们需要了解Bash如何处理函数和环境变量。 GNU Bourne Again shell(BASH)是Unix shell和命令语言解释器 。 它是由Brian Fox在1989年为GNU项目发布的，它是Bourne shell (它诞生于1977年)的免费软件替代品。

$ man bashNAME
 bash - GNU Bourne-Again SHell
SYNOPSIS
 bash [options] [file]
COPYRIGHT
 Bash is Copyright (C) 1989-2011 by the Free Software Foundation, Inc.
DESCRIPTION
 Bash is a sh-compatible command language interpreter that executes commands read from the standard input or from a file. Bash also incorporates useful features from the Korn and C shells (zsh and csh).
(...)

Of course, there are