简介
CVE-2014-6271(即“破壳”漏洞)广泛存在与GNU Bash 版本小于等于4.3的*inux的系统之中,只要目标服务器开放着与Bash相交互的应用与服务,就有可能成功触发漏洞,获取目标系统当前Bash运行用户相同权限的shell接口。
该漏洞可以通过构造环境变量的值来执行想要执行的攻击代码脚本,会影响到与Bash交互的多种应用,包括HTTP、OpenSSH、DHCP等。
检测
有漏洞
[scutech@localhost ~]$ bash --version GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> [scutech@localhost ~]$ env x='() { :;}; echo vulnerable' bash -c "echo This is a test" vulnerable This is a test
无漏洞
scutech@Yao:~$ bash --version GNU bash, version 4.4.19(1)-release (x86_64-pc-linux-gnu) Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. scutech@Yao:~$ env x='() { :;}; echo vulnerable' bash -c "echo This is a test" This is a test
解决办法
查看目前包信息:
[root@localhost ~]# yum list updates|grep bash bash.x86_64 4.1.2-48.el6 base [root@localhost ~]# yum info bash.x86_64 Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: mirrors.ustc.edu.cn * extras: mirrors.tuna.tsinghua.edu.cn * updates: mirrors.163.com Installed Packages Name : bash Arch : x86_64 Version : 4.1.2 Release : 15.el6_4 Size : 3.0 M Repo : installed From repo : anaconda-CentOS-201311272149.x86_64 Summary : The GNU Bourne Again shell URL : http://www.gnu.org/software/bash License : GPLv3+ Description : The GNU Bourne Again shell (Bash) is a shell or command language : interpreter that is compatible with the Bourne shell (sh). Bash : incorporates useful features from the Korn shell (ksh) and the C shell : (csh). Most sh scripts can be run by bash without modification. Available Packages Name : bash Arch : x86_64 Version : 4.1.2 Release : 48.el6 Size : 910 k Repo : base Summary : The GNU Bourne Again shell URL : http://www.gnu.org/software/bash License : GPLv3+ Description : The GNU Bourne Again shell (Bash) is a shell or command language : interpreter that is compatible with the Bourne shell (sh). Bash : incorporates useful features from the Korn shell (ksh) and the C shell : (csh). Most sh scripts can be run by bash without modification.
可以看到在最新的release是48,当前安装的是15。我们将包下载到本地后升级。
# yumdownloader !$ yumdownloader bash.x86_64 Loaded plugins: fastestmirror, refresh-packagekit Loading mirror speeds from cached hostfile * base: mirrors.ustc.edu.cn * extras: mirrors.tuna.tsinghua.edu.cn * updates: mirrors.163.com bash-4.1.2-48.el6.x86_64.rpm | 910 kB 00:00 [root@localhost ~]# rpm -Uvh bash-4.1.2-48.el6.x86_64.rpm warning: bash-4.1.2-48.el6.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY Preparing... ########################################### [100%] 1:bash ########################################### [100%] [root@localhost ~]# yum info bash.x86_64 Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: mirrors.ustc.edu.cn * extras: mirrors.tuna.tsinghua.edu.cn * updates: mirrors.163.com Installed Packages Name : bash Arch : x86_64 Version : 4.1.2 Release : 48.el6 Size : 3.0 M Repo : installed Summary : The GNU Bourne Again shell URL : http://www.gnu.org/software/bash License : GPLv3+ Description : The GNU Bourne Again shell (Bash) is a shell or command language : interpreter that is compatible with the Bourne shell (sh). Bash : incorporates useful features from the Korn shell (ksh) and the C shell : (csh). Most sh scripts can be run by bash without modification.
再测试,过了:
[root@localhost ~]# env x='() { :;}; echo vulnerable' bash -c "echo This is a test" This is a test
