bash shell code injection 윤신필립 하승범. 1.what is shellshock. 2.background knowledge....

Bash shell Code Injection Shellshock

vulnerability

윤신필립하승범

CONTENTS1. What is ShellShock.

2. Background Knowledge.

3. Shellshock CVE-2014-6271

4. Additional vulnerabilities

5. Dangerousness of this Vulnerability.

6. Way of Solutions.

What is Shellshock ?

• CVE 2014-6271

• Disclosed by Akamai Technology ofStephane Chazelas on 24 September 2014.

• CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278

How to set environment variable?

How to set environment variable?

How to set environment variable?

How to set environment variable?

Bash Architecture

• Run bash

• initialization Bash environment variable

• Print Bash shell prompt

• Wait instruction

• Save inst to string and parsing

• Run instruction

How to set environment variable?

Principle of CVE-2014-6271

• Use parse_and_execute() function

intparse_and_execute (string, from_file, flags){ ... while (*(bash_input.location.string)) { ...

PATCH VERSION/* Don't import function names that are invalid identifiers from the environment, though we still allow them to be defined as shell variables. */if (legal_identifier (name))parse_and_execute(temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FINCDEF|SEVAL_ONECMD);

Principle of CVE-2014-6271

• limit number of process• check function

CVE-2014-6271 DEMO

DEMO

Additional vulnerabilities

CVE-2014-7169

CVE-2014-7186

CVE-2014-6278

Dangerousness of this Vulnerability

Dangerousness of this Vulnerability

Attacker CGI PAGE Web Server

virus

Server invade & Destroy

DB Server

Bash 실행

HTTP PACKET

Malicious c

ommands

Save inEnvironment

variable

Way of Solutions

UPDATEsudo apt-get upgradesudo apt-get update

Fedora, Redhatsudo yum update

Way of Solutions

OS X bash Update 1.0Mavericks http://support.apple.com/kn/DL1769

Mountain Lion http://support.apple.com/kn/DL1768

Lion http://support.apple.com/kn/DL1767

Way of Solutions

Troy Hunt (Tremendous in-depth primer on Shellshock)

In short, the advice to consumers is this: watch for security updates, particularly on OS X. Also keep an eye on any advice you may get from your ISP or other providers of devices you have that run embedded software. Do be cautious of emails requesting information or instructing you to run software

Q & A