Unix /Linux 的Bash Shell 出現重大漏洞,危險等級可能超越 Heartbleed
美國電腦緊急應變中心(US-CERT)、紅帽,及多家資安業者於周三(9/24)警告,在UNIX平台上被廣泛使用的Bash Shell含有嚴重漏洞,該漏洞可能讓駭客遠端執行惡意程式,影響GNU、Linux及Mac OS等基於UNIX的各種作業系統。有資安業者認為,此一被稱為Shell Shock的漏洞影響程度可能與Heartbleed相當,甚至更甚於Heartbleed。
Bash Shell為UNIX的介面程式,不但是GNU作業系統的介面程式,也是Linux及Mac OS X的預設介面程式,算是各種Linux版本上最常見的公用程式。它採用命令列介面,允許使用者輸入文字命令,也可讓使用者遠端下達指令(如透過ssh或 telnet)。
此一漏洞是由法國的軟體開發人員Stéphane Chazelas所發現,負責維護Bash Shell的Chet Ramey已經修補該漏洞,更新了自Bash 3.0至Bash 4.3的版本,各界則統一於周三公布該漏洞。
根據開放源碼安全郵件論壇OSS-Sec的說明,Bash不僅支援介面變數的匯出,也可藉由程序環境至子程序將介面功能匯出至其他Bash實例,目前Bash的各種版本使用由功能名稱命名的環境變數,在環境變數中是以 ( ) {為始於該環境中傳遞功能定義,此一漏洞的產生源自於在處理功能定義後,Bash並沒有就此停住,它繼續解析與執行功能定義之後的其他介面命令。因此,若有駭客在功能定義後加入惡意命令,就會加重漏洞的嚴重性。
Bash or the Bourne again shell, is a UNIX like shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, bash has evolved from a simple terminal based command interpreter to many other fancy uses.
In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consists of a name which has a value assigned to it. The same is true of the bash shell. It is common for a lot of programs to run bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)
Coming back to the topic, the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents. As a result, this vulnerability is exposed in many contexts, for example:
- ForceCommand is used in sshd configs to provide limited command execution capabilities for remote users. This flaw can be used to bypass that and provide arbitrary command execution. Some Git and Subversion deployments use such restricted shells. Regular use of OpenSSH is not affected because users already have shell access.
- Apache server using mod_cgi or mod_cgid are affected if CGI scripts are either written in bash, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string).
- PHP scripts executed with mod_php are not affected even if they spawn subshells.
- DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.
- Various daemons and SUID/privileged programs may execute shell scripts with environment variable values set / influenced by the user, which would allow for arbitrary commands to be run.
- Any other application which is hooked onto a shell or runs a shell script as using bash as the interpreter. Shell scripts which do not export variables are not vulnerable to this issue, even if they process untrusted content and store it in (unexported) shell variables and open subshells.
Like “real” programming languages, Bash has functions, though in a somewhat limited implementation, and it is possible to put these bash functions into environment variables. This flaw is triggered when extra code is added to the end of these function definitions (inside the enivronment variable). Something like:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
The patch used to fix this flaw, ensures that no code is allowed after the end of a bash function. So if you run the above example with the patched version of bash, you should get an output similar to:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
We believe this should not affect any backward compatibility. This would, of course, affect any scripts which try to use environment variables created in the way as described above, but doing so should be considered a bad programming practice.
Red Hat has issued security advisories that fixes this issue for Red Hat Enterprise Linux. Fedora has also shipped packages that fixes this issue.
We have additional information regarding specific Red Hat products affected by this issue that can be found at https://access.redhat.com/site/solutions/1207723
Information on CentOS can be found at http://lists.centos.org/pipermail/centos/2014-September/146099.html.
我以為要複製貼上綠色的全部內容,結果只有「env x='() { :;}; echo vulnerable' bash -c "echo this is a test"」這個指令!
我也來玩看看!打開「終端機」以後,貼上「env x='() { :;}; echo vulnerable' bash -c "echo this is a test"」指令,再按Enter,就會看到螢幕上有顯示底下的兩行「vulnerable」跟「this is a test」。
這表示Mac OS X也有相同的漏洞,所以很可能會有駭客入侵我的MacBook Pro了嗎?