CVE-2014-6271“破壳”漏洞

文章目录

简介

CVE-2014-6271(即“破壳”漏洞)广泛存在与GNU Bash 版本小于等于4.3的*inux的系统之中,只要目标服务器开放着与Bash相交互的应用与服务,就有可能成功触发漏洞,获取目标系统当前Bash运行用户相同权限的shell接口。
该漏洞可以通过构造环境变量的值来执行想要执行的攻击代码脚本,会影响到与Bash交互的多种应用,包括HTTP、OpenSSH、DHCP等。

检测

有漏洞

[scutech@localhost ~]$ bash --version
GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
[scutech@localhost ~]$ env x='() { :;}; echo vulnerable' bash -c "echo This is a test"
vulnerable
This is a test

无漏洞

scutech@Yao:~$  bash --version
GNU bash, version 4.4.19(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
scutech@Yao:~$  env x='() { :;}; echo vulnerable' bash -c "echo This is a test"
This is a test

解决办法

查看目前包信息:

[root@localhost ~]# yum list updates|grep bash
bash.x86_64                            4.1.2-48.el6                      base   
[root@localhost ~]# yum info bash.x86_64
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
 * base: mirrors.ustc.edu.cn
 * extras: mirrors.tuna.tsinghua.edu.cn
 * updates: mirrors.163.com
Installed Packages
Name        : bash
Arch        : x86_64
Version     : 4.1.2
Release     : 15.el6_4
Size        : 3.0 M
Repo        : installed
From repo   : anaconda-CentOS-201311272149.x86_64
Summary     : The GNU Bourne Again shell
URL         : http://www.gnu.org/software/bash
License     : GPLv3+
Description : The GNU Bourne Again shell (Bash) is a shell or command language
            : interpreter that is compatible with the Bourne shell (sh). Bash
            : incorporates useful features from the Korn shell (ksh) and the C shell
            : (csh). Most sh scripts can be run by bash without modification.

Available Packages
Name        : bash
Arch        : x86_64
Version     : 4.1.2
Release     : 48.el6
Size        : 910 k
Repo        : base
Summary     : The GNU Bourne Again shell
URL         : http://www.gnu.org/software/bash
License     : GPLv3+
Description : The GNU Bourne Again shell (Bash) is a shell or command language
            : interpreter that is compatible with the Bourne shell (sh). Bash
            : incorporates useful features from the Korn shell (ksh) and the C shell
            : (csh). Most sh scripts can be run by bash without modification.

可以看到在最新的release是48,当前安装的是15。我们将包下载到本地后升级。

# yumdownloader !$
yumdownloader bash.x86_64
Loaded plugins: fastestmirror, refresh-packagekit
Loading mirror speeds from cached hostfile
 * base: mirrors.ustc.edu.cn
 * extras: mirrors.tuna.tsinghua.edu.cn
 * updates: mirrors.163.com
bash-4.1.2-48.el6.x86_64.rpm                                                                                                                                                         | 910 kB     00:00     

[root@localhost ~]# rpm -Uvh bash-4.1.2-48.el6.x86_64.rpm 
warning: bash-4.1.2-48.el6.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
Preparing...                ########################################### [100%]
   1:bash                   ########################################### [100%]
[root@localhost ~]# yum info bash.x86_64
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
 * base: mirrors.ustc.edu.cn
 * extras: mirrors.tuna.tsinghua.edu.cn
 * updates: mirrors.163.com
Installed Packages
Name        : bash
Arch        : x86_64
Version     : 4.1.2
Release     : 48.el6
Size        : 3.0 M
Repo        : installed
Summary     : The GNU Bourne Again shell
URL         : http://www.gnu.org/software/bash
License     : GPLv3+
Description : The GNU Bourne Again shell (Bash) is a shell or command language
            : interpreter that is compatible with the Bourne shell (sh). Bash
            : incorporates useful features from the Korn shell (ksh) and the C shell
            : (csh). Most sh scripts can be run by bash without modification.

再测试,过了:

[root@localhost ~]# env x='() { :;}; echo vulnerable' bash -c "echo This is a test"
This is a test

CVE-2014-6271“破壳”漏洞CVE-2014-6271“破壳”漏洞 遥远2018 发布了19 篇原创文章 · 获赞 2 · 访问量 941 私信 关注
上一篇:SQLserver 2014使用Convert()函数获取时间


下一篇:翻译Attention Is All You Need