Week 11 learning - "ShellShock challenge experiments."
- Problem Description:
- After the last phase of the study, we have come to understand the working mechanism of the core computer operating system and the Linux kernel is loaded and starts the executable program to track individual functions.
- By experiments grasp the principle of buffer overflow, buffer overflow attacks through the use of simulation software to understand the invasion of the remote host buffer overflow and understand the dangers and preventive measures to avoid the buffer overflow attacks.
- After the last phase of the study, we have come to understand the working mechanism of the core computer operating system and the Linux kernel is loaded and starts the executable program to track individual functions.
Learning this week:
- By experiments grasp the principle ShellShock attack by using attack ShellShock invasion remote host simulation software to understand the dangers of buffer overflow
- Giving a summary
- By experiments grasp the principle ShellShock attack by using attack ShellShock invasion remote host simulation software to understand the dangers of buffer overflow
First, the theoretical explanations
ShellShock attack
- September 24, 2014, Bash found a serious flaw shellshock, the vulnerability can be used in many systems, both remotely and can also be triggered locally.
- Shellshock, also known as Bashdoor, is a security vulnerability Bash shell widely used in Unix is.
- Many Internet daemons, such as web servers, using bash to process certain commands, allowing an attacker to execute arbitrary code on the vulnerable version of Bash.
- This can be exploited to access the computer system without authorization.
background
- Shellshock error will affect Bash, various Unix-based system that is used to execute commands and command-line scripts. It is usually installed as the default command-line interface of the system. Bash history analysis of the source code of the display since September 1989 Bash version 1.03 release, the bug already exists.
- Shellshock is a privilege escalation vulnerability that provides methods for executing commands should not be used for system users. This is done by "function to export" Bash function occurs, a command script so in a running instance of Bash created can be shared with lower-level instances. Encoding by the script shared between instances (referred to as a listing environment variables) to achieve this function. Bash will scan each new instance of the table for coding the script, each instance assembled into a command defined in a new instance of the script, and then execute the command. Assume a new instance of the script found in another example from the list, but it can not verify this, it can not verify the command script is constructed to define a proper formation. Therefore, an attacker can execute arbitrary commands on the system, or use other errors Bash command interpreter possible (if the attacker have a way to manipulate the list of environment variables and lead to Bash running).
- September 24, 2014 released to the public this bug, Bash was updated this patch, ready to publish despite the need for some time to update computers to solve potential security problems.
Implementation process
1, built environment
- Install version 4.1 bash with root privileges (at least version 4.2 of the holes have been plugged)
To speed things up, here we use the following Download http://labfile.oss.aliyuncs.com/bash-4.1.tar.gz
$ sudo su $ wget http://labfile.oss.aliyuncs.com/bash-4.1.tar.gzinstallation:
$ tar xf bash-4.1.tar.gz $ cd bash-4.1 $ ./configure #这一步大概用时3分钟! $ make && make installThe installation is complete:
2, the connection process:
In the last step we have finished installing version 4.1 of bash, the next loophole detect the presence of shellshock
$ exit $ env x='() { :; }; echo vulnerable' bash -c "echo this is a test"
- Visible, the figure does not prompt "bulnerable" appears, indicating that there is no loophole. (If there is below the case, then there are loopholes)
Finally, let / bin / sh points to / bin / bash.
$ sudo ln -sf /bin/bash /bin/sh
3, the principle of vulnerability analysis
Custom bash function foo (), the function name can only call the function, KEY defined in this case foo () function = foo; VALUE = () {echo bar;};
$ foo() { echo bar; }
$ foo
> bar但如果定义export foo(),其内部就变成了:KEY=foo; VALUE=(){ :; };echo Hello World
export foo='() { :; }; echo Hello World'
bash
>Hello World
并且在bash读取了环境变量,在定义foo之后直接调用了后面的函数。 一旦调用bash,自定义的语句就直接触发。