我有困难的理解Shellshock脆弱性验证 [英] I'm having difficulty understanding the Shellshock vulnerability verification
问题描述
我得到这个当我检查了 Shellshock 漏洞:
I got this while I was checking for the Shellshock vulnerability:
host1:~$ env x='(){ :;}; echo vulnerable' bash -c "echo hello"
hello
host1:~$ env x='() { :;}; echo vulnerable' bash -c "echo hello"
vulnerable
hello
host1:~$
奇怪吧?
推荐答案
猛砸,如果它与precisely四个字符开始认识到一个环境变量的函数(){
,包括空间。因此, ENV X ='(){:;};回声弱势
不计数。
Bash recognizes an environment variable as a function if it starts with precisely the four characters () {
, including the space. So env x='(){ :;}; echo vulnerable'
doesn't count.
这并不完全符合语法,用于定义一个函数庆典
;在内部,庆典
将字符串重函数presentation存储在一个规范化的形式。如果函数输出(以出口-f FUNCTION_NAME
),则归一化的形式被添加到环境中,和子庆典
进程将其识别为一个函数定义。
This doesn't quite conform to the syntax you use to define a function in bash
; internally, bash
will store the string representation of a function in a normalized form. If the function is exported (with export -f function_name
), then the normalized form is added to the environment, and child bash
processes will recognize it as a function definition.
在shellshock错误来自于路庆典
处理识别功能; 庆典
的马车版本(这回很长的路要走)简单地评价从环境作为一个函数定义字符串(由prepending的变量作为名称函数名),如在脆弱性测试表明这是受注射攻击
The "shellshock" bug comes from the way bash
handles recognized functions; the buggy versions of bash
(which go back a long way) simply evaluate the string from the environment as a function definition (by prepending the name of the variable as the function name), which is subject to an injection attack as demonstrated in the vulnerability test.
手动创建的字符串看起来像庆典
函数定义以界定在子函数庆典
过程是一个已知的技术。导出功能,重新导入是很常见的,而且往往甚至没有被用户察觉。 (例如,这种技术被用来传递bash的功能成 xargs的庆典-c
启动子shell和找... -exec的bash -c
)
Manually creating strings which look like bash
function definitions in order to define functions in child bash
processes is a known technique. Exporting functions and reimporting them is very common, and often is not even noticed by the user. (For example, this technique is used to pass bash functions into subshells started by xargs bash -c
and find ... -exec bash -c
.)
这篇关于我有困难的理解Shellshock脆弱性验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!