问题描述

使用已修补了shellshock一个bash发布

With a bash release which has been patched for shellshock

$ bash --version
GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin12)
Copyright (C) 2007 Free Software Foundation, Inc.

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

利用仍然有效并已分配的

$ env X='() { (a)=>\' bash -c "echo date"; cat echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
Thu Sep 25 12:47:22 EDT 2014

$ ls echo
echo

寻找这个细分为好。

Looking for a breakdown of this as well.

推荐答案

CVE-2014-7169是bash中的语法分析器中的错误。击的解析器使用跨线与ungetc字符变量 eol_ungetc_lookahead 。该变量没有被正确地从 reset_parser 函数，该函数例如所谓的复位一些语法错误。使用错误，有可能一个字符注入下一庆典输入行的开始。

The bug

CVE-2014-7169 is a bug in bash's parser. Bash's parser uses a variable eol_ungetc_lookahead to ungetc characters across lines. That variable wasn't being properly reset from the reset_parser function, which is called e.g. on some syntax errors. Using that bug, it's possible to inject a character into the start of the next bash input line.

所以测试code强制语法错误，即使用（A）= 或函数AA ，增加了重定向字符到prePEND到下一行＆GT; ，并增加了续行 \\ ，这导致两种版本的测试code的：

So the test code forces a syntax error, using either (a)= or function a a, adds the redirection character to prepend to the next line >, and adds a line continuation \, which leads to either version of the test code:

() { (a)=>\
() { function a a>\

在执行bash中，它处理的变量从环境，发现变量 X 是一个导出函数，并评估其导入的功能。但评价失败，出现解析错误，而使＆GT; 字符在 eol_ungetc_lookahead 变量。然后，解析命令参数回声日期时，prepends的＆GT; 字符，从而导致＆GT;回声日期，运行日期重定向到一个名为回声。

When bash is executed, it processes variables from the environment, finds that variable X is a exported function, and evaluates it to import the function. But the evaluation fails with a parse error, leaving the > character in the eol_ungetc_lookahead variable. Then, when parsing the command argument echo date, it prepends the > character, leading to >echo date, which runs date redirected to a file named echo.

上面的错误显然是原来的shellshock错误有很大不同。实际上，有几个问题：

The above bug is obviously very different to the original shellshock bug. There are actually several problems:

• 猛砸完全计算一个变量，它看起来像一个导出功能（用四个字符开头（）{）。 CVE-2014-6271。


• 在某些情况下，有可能为字符注入一个与ungetc变量，这将是ppended到下一个输入线$ P $。 CVE-2014-7169。


• 猛砸允许每个环境变量，像一个导出函数来处理，只要它与四个字符开头（）{。 CVE-2014-6271，CVE-2014-7169，所有在那里的一个错误是在bash的解析器触发了其他的CVE。


• 有这里-doc的重定向一个有限的堆栈，并没有检查是否溢出。 CVE-2014-7186，从而导致内存损坏，并且大概可以利用任意code执行。


• 有嵌套控制结构（有限堆栈选择 / 为 / 而），以检查溢出。该协议栈仍然是损坏的。 CVE-2014-7187。

• Bash evaluates completely a variable that looks like an exported function (starts with the four characters () {). CVE-2014-6271.
• Under some conditions, it is possible to inject a character into an ungetc variable, that will be prepended to the next input line. CVE-2014-7169.
• Bash allows every environment variable to be treated like an exported function, so long as it starts with the four characters () {. CVE-2014-6271, CVE-2014-7169, all the other CVEs where a bug is triggered in bash's parser.
• There is a limited stack for here-doc redirection, and there is no check for overflow. CVE-2014-7186, which leads to memory corruption, and can probably be leveraged for arbitrary code execution.
• There is a limited stack for nested control structures (select/for/while), with checks for overflow. That stack is still corrupted. CVE-2014-7187.

• 的<一个href=\"http://git.savannah.gnu.org/cgit/bash.git/diff/?id=b64a0e1d0b412cedda763a32d6e5cd6927333f02&id2=1a1f8b54fb29c2af275253f35a7fcf79815222d5\">first补丁限制庆典，以评估在每个看起来像一个导出函数变量一个单一的功能定义。


• 的<一个href=\"http://git.savannah.gnu.org/cgit/bash.git/diff/?id2=b64a0e1d0b412cedda763a32d6e5cd6927333f02&id=836a17be08ee0696b89367ab1aa27d0be87169ed\">second补丁正确重置 eol_ungetc_lookahead 在 reset_parser 。


• 的<一个href=\"http://git.savannah.gnu.org/cgit/bash.git/commit/?id=3590145af6f1c9fa321dff231f69ae696e7e740b\">third补丁中的功能如何导出：现在他们在命名变量 BASH_FUNC_functionname %% 导出

• The first patch restricts bash to evaluating a single function definition in each variable that looks like a exported function.
• The second patch properly resets eol_ungetc_lookahead on reset_parser.
• The third patch changes how functions are exported: now they are exported in variables named BASH_FUNC_functionname%%.

最大的问题在这里已经每个环境变量可以作为攻击的载体。通常情况下，攻击者无法控制任意的环境变量，否则目前已经有其他已知的攻击（想想 LD_ preLOAD ，路径， IFS ，...）。

The big problem here has been that every environment variable could be used as a vector for attack. Typically, attackers cannot control arbitrary environment variables, otherwise there are already other known attacks (think of LD_PRELOAD, PATH, IFS, ...).

须藤不受影响，因为它从环境中去除出口bash的功能，如Gilles在security.SE 。

sudo is not affected because it strips exported bash functions from the environment, as mentioned by Gilles on security.SE.

SSH 受到影响。典型的sshd的安装只允许一组有限的环境变量中的 AcceptEnv 在的sshd_config ，例如配置导出： LANG 和 LC _ * 。即使有这种积极的白名单的方式，在shellshock任何变量可能是一个攻击向量。

ssh is affected. Typical sshd installations only allow a limited set of environment variables to be exported as configured in AcceptEnv in sshd_config, e.g: LANG and LC_*. Even with this aggressive whitelisting approach, in shellshock any variable could be an attack vector.

不仅是每一个环境变量潜在的攻击向量，就露出了> 6000行解析器。

Not only was every environment variable a potential attack vector, they exposed a >6000 lines parser.

系统，的popen ，以及其他有潜在危险。你不仅应该照顾他们的论点：即使参数是固定在编译时，环境是一个潜在的攻击向量。使用叉（）/调用execve（），preferably用干净的环境（但至少限制环境白名单变量，$ P pferably与他们的价值观$理智核对）。请记住，良好的质量体系做的事情是应该做的，而安全系统做的事情是应该做的仅此而已。调用一个完全成熟的壳品牌的无所事事更多的有点困难。

system, popen, and others are potentially dangerous. Not only should you take care with their arguments: even when the arguments are fixed at compile-time, the environment is a potential attack vector. Use fork()/execve(), preferably with a clean environment (but at least restrict the environment to white-listed variables, preferably with their values sanity-checked). Remember that a good quality system does what it is supposed to do, while a secure system does what it is supposed to do and nothing more. Invoking a full-blown shell makes doing nothing more a little bit harder.

复杂性是安全的大敌。这些天，你可以很容易找到人推荐简单的炮弹。大部分炮弹来自shellshock免费由于不支持导出的函数都没有。相反，bash有收到了许多安全特性，多年来（你需要用 -p 来调用它，以免它在启动时放弃特权，它进行消毒IFS，...） ，所以不要以为我提倡切换炮弹，这更是一个一般性的建议的。

Complexity is the enemy of security. These days you can easily find people recommending simpler shells. Most shells are free from shellshock by not supporting exported functions at all. Conversely, bash has received lots of security features over the years (you need to invoke it with -p to avoid it dropping privileges on startup, it sanitizes IFS, ...), so don't assume I'm advocating switching shells, this is more of a general advice.

从大卫惠勒的古老的安全编程用于Linux和UNIX HOWTO仍然值得重读的篇章。

Some excerpts from David Wheeler's ancient "Secure Programming for Linux and UNIX HOWTO" chapter on environment variables are still worth rereading.

§5.2.3¶1：

对于安全的setuid / setgid程序，环境的短名单
  需要作为输入（如果有的话）的变量应小心萃取。然后
  整个环境应该被删除，通过复位小其后
  设置必要的环境变量为安全值的。真的有
  是不是如果下一级的程序调用任何一个更好的方法;
  有上市的所有危险值'的``没有可行的办法。

§5.2.3¶6：

如果你确实需要用户提供的值，首先要检查的值（以
  确保值的法律价值和匹配的模式，他们
  有一些合理的最大长度之内）。