被记录或所有有意在后面猛砸Shellshock漏洞的行为？ [英] Is the behavior behind the Shellshock vulnerability in Bash documented or at all intentional?

问题描述

最近的一个漏洞， CVE-2014-6271 ，如何猛砸间$ p $点的环境变量<一个href=\"https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-$c$c-injection-attack/\"相对=nofollow>透露。该漏洞依靠猛砸解析一些环境变量声明为函数定义，但随后继续执行code的定义如下：

A recent vulnerability, CVE-2014-6271, in how Bash interprets environment variables was disclosed. The exploit relies on Bash parsing some environment variable declarations as function definitions, but then continuing to execute code following the definition:

$ x='() { echo i do nothing; }; echo vulnerable' bash -c ':'
vulnerable

但我不明白这一点。没有什么我已经能够在大约间preting环境变量函数Bash的手册，以找到在所有（除的继承功能的，这是不同的）。事实上，适当的命名函数的定义只是当作一个值：

But I don't get it. There's nothing I've been able to find in the Bash manual about interpreting environment variables as functions at all (except for inheriting functions, which is different). Indeed, a proper named function definition is just treated as a value:

$ x='y() { :; }' bash -c 'echo $x'
y() { :; }

但腐败one会打印什么：

But a corrupt one prints nothing:

$ x='() { :; }' bash -c 'echo $x'

$ # Nothing but newline

腐败的功能是无名，所以我不能只是调用它。此漏洞纯粹的执行错误，或者是有预期的功能在这里，我只是不明白？

The corrupt function is unnamed, and so I can't just call it. Is this vulnerability a pure implementation bug, or is there an intended feature here, that I just can't see?

每Barmar的评论，我推测该函数的名称是参数名：

Per Barmar's comment, I hypothesized the name of the function was the parameter name:

$ n='() { echo wat; }' bash -c 'n'
wat

，我可以发誓，我尝试过，但我想我没有努力不够。它现在是重复的。这里有一个小更多的测试：

Which I could swear I tried before, but I guess I didn't try hard enough. It's repeatable now. Here's a little more testing:

$ env n='() { echo wat; }; echo vuln' bash -c 'n'
vuln
wat
$ env n='() { echo wat; }; echo $1' bash -c 'n 2' 3 -- 4

wat

...所以显然ARG游戏没有设置在利用执行时间。

…so apparently the args are not set at the time the exploit executes.

总之，基本回答我的问题是，是的，这是Bash的实现如何继承功能的

Anyway, the basic answer to my question is, yes, this is how Bash implements inherited functions.

推荐答案

这似乎是一个实现的bug。

This seems like an implementation bug.

显然，这样导出函数的在庆典的工作是，他们使用特殊格式的环境变量。如果导出功能：

Apparently, the way exported functions work in bash is that they use specially-formatted environment variables. If you export a function:

f() { ... }

它定义像一个环境变量：

it defines an environment variable like:

f='() { ... }'

什么是可能发生的事情是，当新的外壳看到一个环境变量的值以（），它prepends变量的名称和执行结果字符串。该缺陷是，这包括执行任何的之后的函数定义也是如此。

What's probably happening is that when the new shell sees an environment variable whose value begins with (), it prepends the variable name and executes the resulting string. The bug is that this includes executing anything after the function definition as well.

描述的修复显然解析的结果，看看它是否是一个有效的函数定义。如果不是，它打印有关无效的函数定义尝试的警告。

The fix described is apparently to parse the result to see if it's a valid function definition. If not, it prints the warning about the invalid function definition attempt.

本文印证了我的bug的原因解释。它也进入有关修复如何解决它更详细一点：他们不仅更仔细地解析值，但被用来传递导出的函数变量遵循一个特殊的命名约定。这个命名约定是与用于CGI脚本创建的环境变量不同，所以HTTP客户端不应该能够得到它的脚进入这扇门。

This article confirms my explanation of the cause of the bug. It also goes into a little more detail about how the fix resolves it: not only do they parse the values more carefully, but variables that are used to pass exported functions follow a special naming convention. This naming convention is different from that used for the environment variables created for CGI scripts, so an HTTP client should never be able to get its foot into this door.

这篇关于被记录或所有有意在后面猛砸Shellshock漏洞的行为？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！