這讓人無言了,Bash 的遠端執行安全漏洞,CVE-2014-6271:
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
可以在 oss-sec 上面看到說明「Re: CVE-2014-6271: remote code execution through bash」:
Debian and other GNU/Linux vendors plan to disclose a critical, remotely exploitable security vulnerability in bash this week, related to the processing of environment variables. Stephane Chazelas discovered it, and CVE-2014-6271 has been assigned to it.
透過環境變數打進去... Redhat 的「Bash specially-crafted environment variables code injection attack」這篇也給了不少例子。
Linux 下通常最常用的 shell 應該還是 Bash 吧?(雖然也看到不少人用 Zsh...)
然後 Twitter 上看到非常邪惡的 Google Hack:
google filetype:sh inurl:cgi-bin;
— dragosr (@dragosr) September 25, 2014
大家可以自己加上 site:
去掃...
zsh 5.0.2 也中,並沒有躲掉
應該沒中啊… ln -s /bin/zsh /bin/bash 的話就不知道了… XD
Thorsten Glaser 2014-09-25 07:58:11 EDT
(In reply to Björn Puttmann from comment #29)
> Just as a heads up: The second vulnerability seems also to work with zsh
> (zsh 4.3.10 (x86_64-redhat-linux-gnu) on CentOS 6.5 and zsh (zsh 4.3.9
> (i386-apple-darwin10.0) on Mac.
(In reply to ZendoQ from comment #30)
> Just to let you know: The second vulnerability also work on zsh 5.0.2
> (x86_64-apple-darwin13.0) on Mac.
This is nonsense. The import of functions from the environment is a
GNU bash-only feature. Neither zsh nor mksh support this.
The format GNU bash uses is that, if an imported variable begins
with “() {”, it’s taken as function. For every other shell, these
are just normal strings.
Björn Puttmann 2014-09-25 08:16:23 EDT
You are absolutely correct.
Please ignore my previous post and sorry for this unnecessary noise.