Table of contents
1. Threat card
2. Overview
3. Release/disclosure of known events
4. Impact scope of the vulnerability
5. Vulnerability principle
6. Vulnerability verification method
7. Vulnerability detection method
8. Possible impact
of the vulnerability Suggestion
10. Write the long-winded words at the end
1. Threat card
2. Overview
On September 24, 2014, Bash was announced to have a remote code execution vulnerability. Antiy Security Research and Emergency Response Center (hereinafter referred to as: Antiy CERT) immediately confirmed that the vulnerability could have serious consequences based on information research and judgment, and It is widely distributed, and the A-level risk emergency response was launched at 5:30 am on September 24th, Beijing time.
Antiy CERT conducted a rigorous analysis and verification of the vulnerability, confirming that the vulnerability will affect the current mainstream Linux and Mac OSX operating system platforms, including but not limited to Redhat, CentOS, Ubuntu, Debian, Fedora, Amazon Linux, OS X 10.10, etc. platform. This vulnerability can execute the desired attack code script by constructing the value of the environment variable. The vulnerability will affect various applications that interact with Bash, including HTTP, OpenSSH, DHCP, etc. According to the current vulnerability verification situation and the circulating POC situation, this vulnerability will seriously affect the security of network infrastructure, including but not limited to network equipment, network security equipment, cloud and big data centers, etc. In particular, Bash is widely distributed and exists in devices, and its elimination process will be very long-tailed, and it is easy to use it to write worms for automatic propagation, and it will also lead to the development of botnets. At present, many overseas security agencies have issued warnings .
Note 1: The description of Bash quoted from Wikipedia is: "Bash, a type of Unix shell. The first official version was released in 1989. It was originally planned to be used on the GNU operating system, but it can run on most Unix-like systems. Operating systems, including Linux and Mac OS X v10.4 use it as the default shell. It has also been ported to Cygwin and MinGW on Microsoft Windows, or the DJGPP project that can be used on MS-DOS. On Novell NetWare There is also a port on Android with Android."
Note 2: A-level response is the highest level identified by Antiy for threats. Antiy will launch a response to worm epidemics and serious vulnerabilities that may cause large-scale network paralysis and blockage, as well as serious threats that may endanger key information systems and infrastructure security in a large area. Grade A response. The specific response requirements are to unconditionally suspend the existing work of the analysis team, immediately set up an analysis team, start the rapid analysis work, and promptly notify the relevant CERT organization and management department; continue to track threats, and continuously update and synchronize relevant analysis and response documents. This is the second time that Antiy has launched an A-level response this year. The previous one was Heartbleed vulnerability. Since Antiy established a threat response classification mechanism, it has responded to password worms, shock waves, shock waves, SQL Slammer, magic wave, panda burning incense and other incidents. Initiate a Level A response.
3. Publication/disclosure of known events
According to information retrieval, the discoverer of this vulnerability is French GNU/LINUX researcher Stéphane Chazelas, who discovered it in mid-September 2014 and disclosed it on September 24, 2014.
Table 1 List of Vulnerability Release Vendors
Table 2 Some major vulnerabilities affecting platforms and versions
4. The scope of the vulnerability
Antiy CERT has verified that there are Bash versions with CVE-2014-6271 vulnerability in Red Hat, CentOS, Ubuntu, Fedora, Amazon Linux, and OS X 10.10. At the same time, due to the wide application of Bash in various mainstream operating systems, this vulnerability The scope of influence includes but is not limited to most Unix, Linux, and Mac OS X that use Bash, and there are high-risk threats to the data managed by these operating systems. Vulnerabilities are exploited through various applications interacting with Bash, including HTTP, OpenSSH, DHCP, etc.
Antiy CERT is currently sampling and verifying that the current pre-installed Android operating system does not support the ENV command. It can be speculated that the Android operating system is less likely to be affected by this vulnerability.
5. Vulnerability principle
The current environment variable used by Bash is called by the name of the function, which leads to the problem of the vulnerability. After the environment variable defined at the beginning of "(){" is parsed into a function in the command ENV, Bash execution does not exit, but continues to parse. And execute the shell command. The core reason is that there is no strict boundary limit in the input filtering, and no legalized parameter judgment is made.
In the patch, the legality of the parameters is mainly filtered. The patch program performs a legality boundary detection of the input command in the parse_and_execute function of /builtins/evalstring.c, and excludes the possibility of code injection. In the exclusion, two judgments of flags and one type matching of command are mainly used. In order to make the judgment of flags accurate, two flags, SEVAL_FUNCDEF and SEVAL_ONECMD, are pre-defined in the patch as the judgment basis. There are three patch updates for this vulnerability, mainly to filter the input command.
From the explained vulnerability principle, we can see that the root cause of the vulnerability exists in the implementation of Bash's ENV command, so the vulnerability itself cannot directly lead to remote code execution. If the purpose of remote code execution is achieved, a third-party service program must be used as a medium to achieve it, and the third-party service program must also meet many conditions before it can play the role of this medium. For example, Antiy CERT has verified that the third-party service program apache2 can act as this medium, and its CGI component meets remote access and calls ENV command of Bash to analyze access data. For details on how to implement it, see the schematic diagram below: CVE-2014-6271 Vulnerability Realization Remote Code Execution Schematic Diagram.
6. Vulnerability verification method
The current Bash script supports custom functions by exporting environment variables, and can also pass custom Bash functions to sub-related processes. Generally, the code in the function body will not be executed, but this vulnerability will mistakenly execute the commands outside the "{}" curly braces. Antiy CERT has carried out detailed verification on shell breaking vulnerabilities, including local verification, remote simulation verification, and remote real verification. Remote authentication to provide an httpd server with CGI enabled for testing. Because when executing CGI, Bash will be called to process Referer, host, UserAgent, header, etc. as environment variables. In addition, Antiy CERT has also carried out the simulation and verification of attack methods such as DHCP and other shell-breaking exploits.
1. Local authentication method:
Execute the following command in the shell:
1) The vulnerability verification of the Linux Debian operating system is as follows: after executing the command, if Vulnerable CVE-2014-6271 is displayed, it proves that the system has a vulnerability, and the echo Vulnerable CVE-2014-6271 can be changed to execute any command.
2) Apple operating system (OS X 10.10) vulnerability verification is as follows:
2. Remote verification method
a. Simulation verification method
This method is suitable for proof-of-principle.
1) Install and configure apache server under Ubuntu
install apache2 server
#sudo apt-get install apache2
Configure apache2 server
The configuration file is located at /etc/apache2/sites-enabled/000-default
Open the configuration file with vi:
#sudo vi /etc/apache2/sites-enabled/000-default
Modify two of them to read:
DocumentRoot /var/www/html
ScriptAlias /cgi-bin/ /var/www/html/cgi-bin/
2) Write the WEB server test file
Edit server test file
#sudo you /var/www/html/cgi-bin/test.sh
Then restart the service
#sudo /etc/init.d/apache2 restartl
3) Remote testing
The test command is as follows:
In the command, you can change a=`/bin/cat /etc/passwd`; echo $a to execute any command.
b. Authentic verification method
This method is suitable for Internet management departments to conduct Internet censuses, etc.
1) Use search engines to search websites that may have vulnerabilities. The following uses Google search as an example:
Search: inurl:/cgi-bin/ filetype:sh
2) Extract the retrieved url, and then replace the "Replacement URL" below
3) If there is a loophole, the results of the simulation verification method can be reproduced to judge the scope and harm of the loophole; if a search engine is not used, the dictionary detection method can also be used to try to connect, but this method will consume a lot of time resources for useless connection attempts.
7. Vulnerability detection method
You can use local and remote vulnerability verification methods to write and configure scripts, programs, or snort rules, and then conduct batch detection of operating system platforms. When performing HTTP detection, you can perform the header information string "() {" of Referer, host, UserAgent, header, etc. or the corresponding hexadecimal "\x28\x29\x20\x7b\x20" to detect the part that has appeared so far attack.
We are still in the process of attack capture and feature extraction.
Eight, the possible impact of the vulnerability
-
This vulnerability can bypass the configuration of ForceCommand in sshd to execute arbitrary commands;
-
Apache servers using mod_cgi or mod_cgid are affected if the CGI scripts are written in Bash;
-
The DHCP client calls shell scripts to configure the system, which may allow arbitrary command execution;
-
Various daemons and SUID/privileged programs may execute shell scripts, and allow arbitrary commands to run through user settings or influence environment variable values.
9. Suggestions for this vulnerability
-
Verify and judge according to the vulnerability verification method in Section 6. If it is determined that there is a vulnerability, update the version for the solution given in Section 3.
-
Update the Bash source code, perform boundary check and parameter filtering for the implementation part of the ENV command, strictly define the scope of function definition, and make legal parameter judgments.
10. The long-winded words written at the end
Perhaps this report will not continue to be updated, because we are carrying out follow-up work on shell breaking vulnerabilities, and we are destined to focus on the detection and evaluation of vulnerabilities. The in-depth analysis of vulnerabilities is not Antiy as an anti-malicious code and anti-APT The positioning of the team.
This is also the second time that Antiy CERT has made an A-level response this year, and the previous one was Heart Bleed. When we look back at the archives of Antiy's A-level response, we see many familiar names: password worm, shock wave, shock wave...
and in the few years before the appearance of "Heartbleed", it was the highly targeted development of threats In the era of Antiy CERT, the work focus of Antiy CERT turned to analyze more refined and lengthy APT attacks, and it has not initiated A-level response for many years. So when "Heartbleed" came, we seemed so flustered. We are not used to being woken up from sleep in the early morning, and we suddenly found that the basic environment needs to be rebuilt. At that time, we felt like a group of detectives who were carefully collecting evidence at the crime scene and researching it carefully, suddenly found a fire in the city, and the task quickly became all involved in fighting the fire... For security analysis engineers, as long as they re-enter the line of fire, they can Awaken the dormant sharpness and bloodiness.
Security never stops, because threats never stop. Li Bosong, head of Antiy's analysis team, was moved by the slogan "Safe Never Sleep" when he visited McAfee, but he said that he was even more moved when he came downstairs from the Avtar Hotel late at night and saw the lights of McAfee that never went out. For shell-breaking vulnerabilities, our work is still superficial, but compared to the panic in "Heartbleed", it is obvious that we have become calm again. Especially when we are woken up again in the early morning, we have already climbed up from sleep by gritting our teeth, and turned into a conditioned reflex to get up.
Security is difficult to get in place, but also because of the unpredictable threats. Since 2004, when DEP, ALSR and other technologies have been introduced into the mainstream system, the threats based on long-range one-hit kills have been significantly reduced, and those undisclosed 0days are also expected to be used cautiously as secret weapons. The number of large-scale worms began to decrease, and no more malicious code names were known to the public, which gave the public a false sense of security and also brought a false sense of security vision. For those who believe that "credibility + main defense" can create a security perpetual motion machine, they often forget the existence of scripts, which make security managers love and hate.
Security is difficult to perfect, especially because time is not on the side of the defender. This is true whether it is a blitz that packs a one-hit kill, or a threat that lies dormant for a long time. The HeartBleed vulnerability has been lurking in the code for 3 years, while the shellbreak vulnerability may have existed for 10 years. During this incubation period, it is still unknown whether it is lucky to have been sleeping all the time, or has already become a weapon for breaking into the house. It is difficult to speculate whether the related vulnerability is the unintentional mistake of the developer, or a well-designed code pollution. It is conceivable that all information security disasters that cannot be fully recovered are destined to become scripts for conspiracy theories.
The slow progress in security is also because people take too much for granted. Both "Heartbleed" and "Broken Shell" vulnerabilities come from open source systems. And too many good people naturally assume that the security of open source is guaranteed by countless code maintainers, auditors and users. Regardless of whether it is the "Heartbleed" OpenSSL or the broken Bash, although the system of many developers and compilers has been compiled in a flash, the related vulnerabilities have passed in a flash. For the attacker, the relevant code may have been researched and mined for a long time. It is meaningless to generally compare whether open source or closed source is more secure. We just want to emphasize again that open source does not necessarily lead to security.
It is difficult to improve security, but it lies in the constant generalization and inheritance of threats. From the PC era, mobile era, wearable devices and smart home era, ease of use and convenience have been developing and progressing rapidly, and new devices have begun to have higher priority. frequency, with a more complex operating system. However, the existing safety experience and methods have not been effectively passed on and inherited. Code reuse, etc., introduces vulnerabilities like "Heartbleed" and "Broken Shell" into more domain depths, thus bringing about a more complex and difficult long tail of disposal. In the future, there will be more functional collaboration, cross-access, and data sharing between heterogeneous devices, which will make the security situation more complex, more difficult to deal with, and more difficult to determine the problem.
And when threats come one after another, when we are overwhelmed and exhausted, as a professional security worker, we need to remind ourselves not to lose our confidence and belief in security, but also not to lose our expectation for the development of information technology. Security is not the whole of information technology, we need to live in a fast-growing, convenient and happy world, and provide security for it.
This article is excerpted from: Antiy Security Research and Emergency Response Center
Original link: http://www.antiy.com/response/CVE-2014-6271.html