Bash软件安全漏洞检测及解决方案
漏洞详情页面:http://seclists.org/oss-sec/2014/q3/650
Diagnostic Steps
Red Hat Access Labs has provided a script to help confirm if a system is patched against to the Shellshock vulnerability. You can also manually test your version of Bash by running the following command:
$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
If the output of the above command contains a line containing only the word vulnerable you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function.
Note that different Bash versions will also print different warnings while executing the above command. The Bash versions without any fix produce the following output:
$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test
The versions with only the original CVE-2014-6271 fix applied produce the following output:
$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
bash: error importing function definition for `BASH_FUNC_x()'
test
The versions with additional fixes from RHSA-2014:1306, RHSA-2014:1311 and RHSA-2014:1312 produce the following output:
$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test
The difference in the output is caused by additional function processing changes explained in the "How does this impact systems" section below.
The fix for CVE-2014-7169 ensures that the system is protected from the file creation issue. To test if your version of Bash is vulnerable to CVE-2014-7169, run the following command:
$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Fri Sep 26 11:49:58 GMT 2014
If your system is vulnerable, the time and date information will be output on the screen and a file called /tmp/echo will be created.
If your system is not vulnerable, you will see output similar to:
$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory
If your system is vulnerable, you can fix these issues by updating to the most recent version of the Bash package by running the following command:
# yum update bash
按照下表对应搜索下载:
| Product/Channel | Fixed in package | Remediation details |
| Red Hat Enterprise Linux 7 | bash-4.2.45-5.el7_0.4 | |
| Red Hat Enterprise Linux 6 | bash-4.1.2-15.el6_5.2 | |
| bash-4.1.2-15.el6_5.1.sjis.2 | ||
| bash-4.1.2-9.el6_2.2 | ||
| bash-4.1.2-15.el6_4.2 | ||
| Red Hat Enterprise Linux 5 | bash-3.2-33.el5_11.4 | |
| bash-3.2-33.el5_11.1.sjis.2 | ||
| bash-3.2-24.el5_6.2 | ||
| bash-3.2-32.el5_9.3 | ||
| Red Hat Enterprise Linux 4 | bash-3.0-27.el4.4 |
虚拟机测试:
[root@localhost /]# rpm -Uvh bash-3.2-33.el5_11.4.i386.rpm --nodeps
warning: bash-3.2-33.el5_11.4.i386.rpm: Header V3 DSA/SHA1 Signature, key ID 37017186: NOKEY
Preparing... ########################################### [100%]
package bash-4.1.2-14.el6.i686 (which is newer than bash-3.2-33.el5_11.4.i386) is already installed
[root@localhost /]# chmod +x bash-4.1.2-15.el6_5.2.x86_64.rpm
[root@localhost /]# rpm -Uvh bash-4.1.2-15.el6_5.2.x86_64.rpm --nodeps
warning: bash-4.1.2-15.el6_5.2.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing... ########################################### [100%]
package bash-4.1.2-15.el6_5.2.x86_64 is intended for a x86_64 architecture
[root@localhost /]# uname -a
Linux localhost.localdomain 2.6.32-358.el6.i686 #1 SMP Tue Jan 29 11:48:01 EST 2013 i686 i686 i386 GNU/Linux
(download bash-4.1.2-15.el6_5.2.src.rpm then rpmbuild --rebuild bash-4.1.2-15.el6_5.2.src.rpm)
[root@localhost /]# rpm -Uvh bash-4.1.2-15.el6_5.2.i686.rpm --nodeps
warning: bash-4.1.2-15.el6_5.2.i686.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
Preparing... ########################################### [100%]
1:bash ########################################### [100%]
[root@localhost /]#
虚拟机验证:
[root@localhost 桌面]# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test
[root@localhost 桌面]# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: 没有那个文件或目录