Bash 遠端執行安全漏洞

這讓人無言了,Bash 的遠端執行安全漏洞,CVE-2014-6271

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

可以在 oss-sec 上面看到說明「Re: CVE-2014-6271: remote code execution through bash」:

Debian and other GNU/Linux vendors plan to disclose a critical, remotely exploitable security vulnerability in bash this week, related to the processing of environment variables. Stephane Chazelas discovered it, and CVE-2014-6271 has been assigned to it.

透過環境變數打進去... Redhat 的「Bash specially-crafted environment variables code injection attack」這篇也給了不少例子。

Linux 下通常最常用的 shell 應該還是 Bash 吧?(雖然也看到不少人用 Zsh...)

然後 Twitter 上看到非常邪惡的 Google Hack:

大家可以自己加上 site: 去掃...

This entry was posted in Computer, Murmuring, Security, Software and tagged , , , , , , , . Bookmark the permalink.

4 Responses to Bash 遠端執行安全漏洞

  1. Pingback: CVE-2014-6271 - Bash 遠端執行的安全漏洞 - Tsung's Blog

  2. Mach says:

    zsh 5.0.2 也中,並沒有躲掉

  3. Roy says:

    應該沒中啊… ln -s /bin/zsh /bin/bash 的話就不知道了… XD

    Thorsten Glaser 2014-09-25 07:58:11 EDT
    (In reply to Björn Puttmann from comment #29)
    > Just as a heads up: The second vulnerability seems also to work with zsh
    > (zsh 4.3.10 (x86_64-redhat-linux-gnu) on CentOS 6.5 and zsh (zsh 4.3.9
    > (i386-apple-darwin10.0) on Mac.

    (In reply to ZendoQ from comment #30)
    > Just to let you know: The second vulnerability also work on zsh 5.0.2
    > (x86_64-apple-darwin13.0) on Mac.

    This is nonsense. The import of functions from the environment is a
    GNU bash-only feature. Neither zsh nor mksh support this.

    The format GNU bash uses is that, if an imported variable begins
    with “() {”, it’s taken as function. For every other shell, these
    are just normal strings.

    Björn Puttmann 2014-09-25 08:16:23 EDT
    You are absolutely correct.
    Please ignore my previous post and sorry for this unnecessary noise.

  4. John Linq says:

    看到幾篇文章,說是這個漏洞已存在數十年之久,數十年前有網路嗎?鬼扯吧!
    感覺是需求偷偷改了,代碼卻沿用。

Leave a Reply

Your email address will not be published. Required fields are marked *