Upload
theodora-hodges
View
228
Download
0
Embed Size (px)
Citation preview
Bash shell Code Injection Shellshock
vulnerability
윤신필립하승범
CONTENTS1. What is ShellShock.
2. Background Knowledge.
3. Shellshock CVE-2014-6271
4. Additional vulnerabilities
5. Dangerousness of this Vulnerability.
6. Way of Solutions.
What is Shellshock ?
• CVE 2014-6271
• Disclosed by Akamai Technology ofStephane Chazelas on 24 September 2014.
• CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
How to set environment variable?
How to set environment variable?
How to set environment variable?
How to set environment variable?
Bash Architecture
• Run bash
• initialization Bash environment variable
• Print Bash shell prompt
• Wait instruction
• Save inst to string and parsing
• Run instruction
How to set environment variable?
Principle of CVE-2014-6271
• Use parse_and_execute() function
intparse_and_execute (string, from_file, flags){ ... while (*(bash_input.location.string)) { ...
PATCH VERSION/* Don't import function names that are invalid identifiers from the environment, though we still allow them to be defined as shell variables. */if (legal_identifier (name))parse_and_execute(temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FINCDEF|SEVAL_ONECMD);
Principle of CVE-2014-6271
• limit number of process• check function
CVE-2014-6271 DEMO
DEMO
Additional vulnerabilities
CVE-2014-7169
CVE-2014-7186
CVE-2014-6278
Dangerousness of this Vulnerability
Dangerousness of this Vulnerability
Attacker CGI PAGE Web Server
virus
Server invade & Destroy
DB Server
Bash 실행
HTTP PACKET
Malicious c
ommands
Save inEnvironment
variable
Way of Solutions
UPDATEsudo apt-get upgradesudo apt-get update
Fedora, Redhatsudo yum update
Way of Solutions
OS X bash Update 1.0Mavericks http://support.apple.com/kn/DL1769
Mountain Lion http://support.apple.com/kn/DL1768
Lion http://support.apple.com/kn/DL1767
Way of Solutions
Troy Hunt (Tremendous in-depth primer on Shellshock)
In short, the advice to consumers is this: watch for security updates, particularly on OS X. Also keep an eye on any advice you may get from your ISP or other providers of devices you have that run embedded software. Do be cautious of emails requesting information or instructing you to run software
Q & A