简介
CVE-2014-6271(即“破壳”漏洞)广泛存在与GNU Bash 版本小于等于4.3的*inux的系统之中,只要目标服务器开放着与Bash相交互的应用与服务,就有可能成功触发漏洞,获取目标系统当前Bash运行用户相同权限的shell接口。
该漏洞可以通过构造环境变量的值来执行想要执行的攻击代码脚本,会影响到与Bash交互的多种应用,包括HTTP、OpenSSH、DHCP等。
检测
有漏洞
[scutech@localhost ~]$ bash --version
GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
[scutech@localhost ~]$ env x='() { :;}; echo vulnerable' bash -c "echo This is a test"
vulnerable
This is a test
无漏洞
scutech@Yao:~$ bash --version
GNU bash, version 4.4.19(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
scutech@Yao:~$ env x='() { :;}; echo vulnerable' bash -c "echo This is a test"
This is a test
解决办法
查看目前包信息:
[root@localhost ~]# yum list updates|grep bash
bash.x86_64 4.1.2-48.el6 base
[root@localhost ~]# yum info bash.x86_64
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* base: mirrors.ustc.edu.cn
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.163.com
Installed Packages
Name : bash
Arch : x86_64
Version : 4.1.2
Release : 15.el6_4
Size : 3.0 M
Repo : installed
From repo : anaconda-CentOS-201311272149.x86_64
Summary : The GNU Bourne Again shell
URL : http://www.gnu.org/software/bash
License : GPLv3+
Description : The GNU Bourne Again shell (Bash) is a shell or command language
: interpreter that is compatible with the Bourne shell (sh). Bash
: incorporates useful features from the Korn shell (ksh) and the C shell
: (csh). Most sh scripts can be run by bash without modification.
Available Packages
Name : bash
Arch : x86_64
Version : 4.1.2
Release : 48.el6
Size : 910 k
Repo : base
Summary : The GNU Bourne Again shell
URL : http://www.gnu.org/software/bash
License : GPLv3+
Description : The GNU Bourne Again shell (Bash) is a shell or command language
: interpreter that is compatible with the Bourne shell (sh). Bash
: incorporates useful features from the Korn shell (ksh) and the C shell
: (csh). Most sh scripts can be run by bash without modification.
可以看到在最新的release是48,当前安装的是15。我们将包下载到本地后升级。
# yumdownloader !$
yumdownloader bash.x86_64
Loaded plugins: fastestmirror, refresh-packagekit
Loading mirror speeds from cached hostfile
* base: mirrors.ustc.edu.cn
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.163.com
bash-4.1.2-48.el6.x86_64.rpm | 910 kB 00:00
[root@localhost ~]# rpm -Uvh bash-4.1.2-48.el6.x86_64.rpm
warning: bash-4.1.2-48.el6.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
Preparing... ########################################### [100%]
1:bash ########################################### [100%]
[root@localhost ~]# yum info bash.x86_64
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* base: mirrors.ustc.edu.cn
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.163.com
Installed Packages
Name : bash
Arch : x86_64
Version : 4.1.2
Release : 48.el6
Size : 3.0 M
Repo : installed
Summary : The GNU Bourne Again shell
URL : http://www.gnu.org/software/bash
License : GPLv3+
Description : The GNU Bourne Again shell (Bash) is a shell or command language
: interpreter that is compatible with the Bourne shell (sh). Bash
: incorporates useful features from the Korn shell (ksh) and the C shell
: (csh). Most sh scripts can be run by bash without modification.
再测试,过了:
[root@localhost ~]# env x='() { :;}; echo vulnerable' bash -c "echo This is a test"
This is a test
