ShellShock challenge experiments
I. Introduction experiment
September 24, 2014, Bash found a serious flaw shellshock, the vulnerability can be used in many systems, both remotely and can also be triggered locally. In this experiment, students need to understand the attack personally reproduce the vulnerability, and answer some questions.
- What is shellshock?
Shellshock,又称Bashdoor,是在Unix中广泛使用的Bash shell中的一个安全漏洞,首次于2014年9月24日公开。
许多互联网守护进程,如网页服务器,使用bash来处理某些命令,从而允许攻击者在易受攻击的Bash版本上执行任意代码。这可使攻击者在未授权的情况下访问计算机系统。Second, build environment
Install version 4.1 bash with root privileges (at least version 4.2 of the holes have been plugged) bash4.1 original download address is HTTP: //ftp/gnu.org/gnu/bash/bash-4.1.tar.gz , in order speed, here we use the following Download http://labfile.oss.aliyuncs.com/bash-4.1.tar.gz
- There is a small episode, because {} in the space cause linking errors
Third, the experimental content
1. Attack Set-UID program
In this study, we used to gain root privileges by attacking the Set-UID program. First, make sure you have bash version with loopholes, and make / bin / sh points to / bin / bash.
$ sudo ln -sf /bin/bash /bin/sh
Please compile the following code, and set it to Set-UID program to ensure that it is owned by root. We know the system () function will be called "/ bin / sh -c" to run the specified command, this also means that / bin / bash is called, you can take advantage of loopholes to get permission shellshock it?
#include <stdio.h>
void main()
{
setuid(geteuid()); // make real uid = effective uid.
system("/bin/ls -l");
}We note here the use of setuid (geteuid ()) to the real uid = effective uid, which in Set-UID program is not a common practice, but it does sometimes happen. First try to hack it yourself :) ...... ...... ...... ...... ...... ...... The following is a hack process.
If the setuid (geteuid ()) statement is removed, and then try to attack, we were also able to get permission to it?
#include <stdio.h>
void main()
{
system("/bin/ls -l");
}(hack过程与step1完全一样,sh0ck是编译后的程序)
失败啦!这就说明如果 real uid 和 effective uid 相同的话,定义在环境变量中的内容在该程序内有效,那样shellshock漏洞就能够被利用了。但是如果两个uid不同的话,环境变量失效,就无法发动攻击了,这可以从bash的源代码中得到印证。
四、实验遇到的问题
在此次实验中,因为步骤都已经给出了,所以遇到的问题比较少,一般都是粗心没看仔细。
比如$ exit
$ env x='() { :; }; echo vulnerable' bash -c "echo this is a test"这一步{}中的空格没有注意!
五、 实验体会
----------------------
这次的实验是让我们通过重现攻击来理解shellshock漏洞,而修复Shellshock漏洞就像打地鼠,堵了一头另一头又冒出,修复一部分,很快就有其他的攻击方式出现,层出不穷,问题的关键其实还是在于bash在设计的时候对于环境变量的依赖。只要存在对环境变量的导出,那么攻击者就可以使用各种方式诱骗bash视其为命令,进行执行。虽然linux实验结束了,可是还是有很多问题等待我去学习,解决,在今后的时间里,我会继续学习linux相关知识。