[讨论]CVE-2014-6271/CVE-2014-7169(Bash bug/Shellshock) 的利用方式和影响范围讨论-二进制漏洞-看雪-安全社区|安全招聘|kanxue.com

最新回复 (5)
木桩雪币： 296 活跃值： (89) 能力值： ( LV15，RANK：340 ) 在线值：发帖 13 回帖 241 粉丝 4 关注私信	木桩 8 2 楼找到redhat关于 Bash specially-crafted environment variables code injection attack 的原文： ForceCommand is used in sshd configs to provide limited command execution capabilities for remote users. This flaw can be used to bypass that and provide arbitrary command execution. Some Git and Subversion deployments use such restricted shells. Regular use of OpenSSH is not affected because users already have shell access. Apache server using mod_cgi or mod_cgid are affected if CGI scripts are either written in bash, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string). PHP scripts executed with mod_php are not affected even if they spawn subshells. DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine. Various daemons and SUID/privileged programs may execute shell scripts with environment variable values set / influenced by the user, which would allow for arbitrary commands to be run. Any other application which is hooked onto a shell or runs a shell script as using bash as the interpreter. Shell scripts which do not export variables are not vulnerable to this issue, even if they process untrusted content and store it in (unexported) shell variables and open subshells. 里面提到DHCP，出问题的地方显然在DHCP clients DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine. 2014-9-26 08:59 0
fatecaster 雪币： 135 活跃值： (63) 能力值： ( LV5，RANK：60 ) 在线值：发帖 39 回帖 314 粉丝 0 关注私信	fatecaster 1 3 楼学习一下。支持！ 2014-9-26 09:03 0
wonderzdh 雪币： 62 活跃值： (971) 能力值： ( LV4，RANK：50 ) 在线值：发帖 9 回帖 323 粉丝 5 关注私信	wonderzdh 1 4 楼昨天阿里云通知了这个漏洞，懒得修复... 2014-9-26 09:52 0
木桩雪币： 296 活跃值： (89) 能力值： ( LV15，RANK：340 ) 在线值：发帖 13 回帖 241 粉丝 4 关注私信	木桩 8 5 楼确实。感觉服务器上没有加载 apache mod_cgi 就问题不大，mod_php不受影响。而嵌入式系统上，大部分使用busybox，也不奏效(OpenWrt默认的luci是lua，而写个bash脚本又跑不起来...) 目前就想看看那个DHCP clients怎么回事 ps: 就CVE-2014-7169的情况看，目前大部分修复了的也可以绕过。下面这个依然能够执行： env X='() { (a)=>\' bash -c "echo ls /"; cat echo 2014-9-26 10:09 0
rainyxufh 雪币： 213 活跃值： (24) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 14 粉丝 0 关注私信	rainyxufh 6 楼攻击DHCP client 是从dhcp服务器上发起的。 https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/ 2014-9-28 09:39 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (5)
木桩雪币： 296 活跃值： (89) 能力值： ( LV15，RANK：340 ) 在线值：发帖 13 回帖 241 粉丝 4 关注私信	木桩 8 2 楼找到redhat关于 Bash specially-crafted environment variables code injection attack 的原文： ForceCommand is used in sshd configs to provide limited command execution capabilities for remote users. This flaw can be used to bypass that and provide arbitrary command execution. Some Git and Subversion deployments use such restricted shells. Regular use of OpenSSH is not affected because users already have shell access. Apache server using mod_cgi or mod_cgid are affected if CGI scripts are either written in bash, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string). PHP scripts executed with mod_php are not affected even if they spawn subshells. DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine. Various daemons and SUID/privileged programs may execute shell scripts with environment variable values set / influenced by the user, which would allow for arbitrary commands to be run. Any other application which is hooked onto a shell or runs a shell script as using bash as the interpreter. Shell scripts which do not export variables are not vulnerable to this issue, even if they process untrusted content and store it in (unexported) shell variables and open subshells. 里面提到DHCP，出问题的地方显然在DHCP clients DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine. 2014-9-26 08:59 0
fatecaster 雪币： 135 活跃值： (63) 能力值： ( LV5，RANK：60 ) 在线值：发帖 39 回帖 314 粉丝 0 关注私信	fatecaster 1 3 楼学习一下。支持！ 2014-9-26 09:03 0
wonderzdh 雪币： 62 活跃值： (971) 能力值： ( LV4，RANK：50 ) 在线值：发帖 9 回帖 323 粉丝 5 关注私信	wonderzdh 1 4 楼昨天阿里云通知了这个漏洞，懒得修复... 2014-9-26 09:52 0
木桩雪币： 296 活跃值： (89) 能力值： ( LV15，RANK：340 ) 在线值：发帖 13 回帖 241 粉丝 4 关注私信	木桩 8 5 楼确实。感觉服务器上没有加载 apache mod_cgi 就问题不大，mod_php不受影响。而嵌入式系统上，大部分使用busybox，也不奏效(OpenWrt默认的luci是lua，而写个bash脚本又跑不起来...) 目前就想看看那个DHCP clients怎么回事 ps: 就CVE-2014-7169的情况看，目前大部分修复了的也可以绕过。下面这个依然能够执行： env X='() { (a)=>\' bash -c "echo ls /"; cat echo 2014-9-26 10:09 0
rainyxufh 雪币： 213 活跃值： (24) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 14 粉丝 0 关注私信	rainyxufh 6 楼攻击DHCP client 是从dhcp服务器上发起的。 https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/ 2014-9-28 09:39 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复