{"id":9929,"date":"2014-09-26T11:09:58","date_gmt":"2014-09-26T03:09:58","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=9929"},"modified":"2014-09-26T14:02:07","modified_gmt":"2014-09-26T06:02:07","slug":"%e3%80%90-bash-shell%e5%87%ba%e7%8f%be%e5%9a%b4%e9%87%8d%e6%bc%8f%e6%b4%9e%e3%80%91%e4%bc%ba%e6%9c%8d%e5%99%a8%e4%b8%8a%e7%9a%84shell-%e6%94%bb%e6%93%8a%ef%bc%9abash%e8%87%ad%e8%9f%b2%e3%80%8ccve-2014","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=9929","title":{"rendered":"Shellshock \u6f0f\u6d1e \u731b\u70c8\u4f86\u8972,\u7db2\u8def\u7528\u6236\u8acb\u5168\u9762\u6212\u5099!"},"content":{"rendered":"<p><strong>\u4f3a\u670d\u5668\u4e0a\u7684 Shell \u653b\u64ca\uff1aBash\u81ed\u87f2\u300cCVE-2014-7169\u300d\u548c\u300cCVE-2014-6271\u300d<\/strong><\/p>\n<p>\u7e7c\u56db\u6708\u7684\u00a0<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=7889\">Heartbleed\u5fc3\u6dcc\u8840\u6f0f\u6d1e<\/a>\u4e4b\u5f8c,\u53c8\u51fa\u73fe\u4e00\u500b\u91cd\u5927\u6f0f\u6d1e! Bash Shell\u51fa\u73fe\u4e86\u4e00\u500b\u56b4\u91cd\u7684\u6f0f\u6d1e\uff0c\u9019\u662f\u5927\u591a\u6578 Linux \u5957\u4ef6\u5167\u90fd\u6709\u4f7f\u7528\u7684\u8edf\u9ad4\u3002\u6b64\u6f0f\u6d1e\uff08\u7de8\u865f\u70ba\u00a0<a href=\"https:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2014-7169\">CVE-2014-7169<\/a>\uff09\u53ef\u4ee5\u8b93\u653b\u64ca\u8005\u5728\u53d7\u5f71\u97ff\u7cfb\u7d71\u4e0a\u57f7\u884c\u6307\u4ee4\u3002\u7c21\u55ae\u7684\u8aaa\uff0c\u9019\u5c31\u6709\u8fa6\u6cd5\u5728\u4f7f\u7528\u9019\u4e9bLinux\u5957\u4ef6\u7684\u4f3a\u670d\u5668\u4e0a\u57f7\u884c\u9060\u7aef\u7a0b\u5f0f\u78bc\u3002<\/p>\n<p><a href=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2014\/09\/Bash-Shell-blog940x198.jpg\"><br \/>\n<\/a> <a href=\"https:\/\/blog.trendmicro.com.tw\/?cat=1761\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-9933\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2014\/09\/Bash-Shell-TM940x312_0926.jpg\" alt=\"Bash Shell TM940x312_0926\" width=\"940\" height=\"312\" srcset=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2014\/09\/Bash-Shell-TM940x312_0926.jpg 940w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2014\/09\/Bash-Shell-TM940x312_0926-300x99.jpg 300w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2014\/09\/Bash-Shell-TM940x312_0926-600x199.jpg 600w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2014\/09\/Bash-Shell-TM940x312_0926-800x266.jpg 800w\" sizes=\"(max-width: 940px) 100vw, 940px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><strong><em>\u9019\u81ed\u87f2\uff08\u6f0f\u6d1e\uff09\u662f\u4ec0\u9ebc\uff1f<\/em><\/strong><\/p>\n<p>*nix\u74b0\u5883\u4e2d\u6700\u53d7\u6b61\u8fce\u7684Shell\u6709\u56b4\u91cd\u7684\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u8b93\u653b\u64ca\u8005\u7a7f\u904e\u7db2\u8def\u8ddf\u4e2d\u9593\u7684\u9632\u8b77\u4f86\u57f7\u884c\u4efb\u610f\u6307\u4ee4\u3002\u6700\u5e38\u898b\u7684\u662f\u4f7f\u7528CGI\u7684\u7db2\u9801\u4f3a\u670d\u5668\u74b0\u5883\u3002<\/p>\n<p>Bash\u5141\u8a31\u8f38\u51faShell\u529f\u80fd\u51fd\u6578\u5230\u5176\u4ed6bash\u7a0b\u5e8f\u3002\u9019\u662f\u900f\u904e\u5efa\u7acb\u6709\u529f\u80fd\u51fd\u6578\u5b9a\u7fa9\u7684\u74b0\u5883\u8b8a\u6578\u4f86\u505a\u5230\u3002\u4f8b\u5982\uff1a<\/p>\n<p>env ENV_VAR_FN=\u2019() { &lt;your function&gt; };\u2019<\/p>\n<p>ENV_VAR_FN\u5c31\u662f\u6703\u88ab\u8f38\u51fa\u5230\u4efb\u4f55\u5f8c\u8d77bash\u7a0b\u5e8f\u7684\u529f\u80fd\u51fd\u6578\u3002\u9019\u770b\u8d77\u4f86\u662f\u500b\u6709\u7528\u7684\u529f\u80fd\uff0c\u5c0d\u5427\uff1f\u4f46\u5728Bash\u5be6\u4f5c\u4e0a\u6709\u500b\u81ed\u87f2\uff0c\u5c31\u662f\u5b83\u6703\u7e7c\u7e8c\u8b80\u53d6\u529f\u80fd\u51fd\u6578\u5b9a\u7fa9\u5f8c\u7684\u90e8\u5206\u548c\u57f7\u884c\u5b9a\u7fa9\u5f8c\u9762\u7684\u6307\u4ee4\u3002\u5728\u7406\u60f3\u72c0\u6cc1\u4e0b\uff0c\u5b83\u61c9\u8a72\u505c\u6b62\u8b80\u53d6\u5b9a\u7fa9\u4ee5\u5f8c\u7684\u6771\u897f\u4e26\u52a0\u4ee5\u5ffd\u7565\uff0c\u4e0d\u7ba1\u4e4b\u5f8c\u662f\u4ec0\u9ebc\uff0c\u4f46\u662f\u5b83\u6c92\u6709\u3002<\/p>\n<p>env ENV_VAR_FN=\u2019() { &lt;your function&gt; }; &lt;attacker code here&gt;\u2019<\/p>\n<p>&nbsp;<\/p>\n<p><strong><em>\u5b83\u5982\u4f55\u8de8\u8d8a\u7db2\u8def\u5f71\u97ff\u670d\u52d9\uff1f<\/em><\/strong><\/p>\n<p>\u6709\u9451\u65bcBash\u74b0\u5883\u88ab\u7528\u5728\u8a31\u591a\u8a2d\u5b9a\u5167\u9019\u73fe\u5be6\uff0c\u9019\u5305\u62ec\u4e86 CGI\u3001ssh\u3001rsh\u3001rlogin\u7b49\uff0c\u9019\u4e9b\u670d\u52d9\u90fd\u53ef\u80fd\u53d7\u5230\u6b64\u81ed\u87f2\u5f71\u97ff\u3002\u4efb\u4f55\u6703\u63a5\u53d7\u4f7f\u7528\u8005\u8f38\u5165\u548c\u5c07\u5176\u8f38\u5165\u9001\u5230Bash\u74b0\u5883\u7684\u7db2\u9801\u4f3a\u670d\u5668\u4e5f\u90fd\u6703\u53d7\u6b64\u6f0f\u6d1e\u5f71\u97ff\u3002CGI \u74b0\u5883\u5e95\u4e0b\u7684\u60e1\u610f\u8acb\u6c42\u6703\u50cf\u662f\u9019\u6a23\u5b50\uff1a<\/p>\n<p>GET \/&lt;server path&gt; HTTP\/1.1<\/p>\n<p>User-agent: () { :;}; echo something&gt;\/var\/www\/html\/new_file<\/p>\n<p>\u9019\u6703\u70ba\u653b\u64ca\u8005\u5efa\u7acb\u4e00\u500b\u65b0\u6a94\u6848<em>new_file<\/em>\u3002<\/p>\n<p>\u7db2\u9801\u61c9\u7528\u7a0b\u5f0f\u662f\u6b64\u6f0f\u6d1e\u7684\u6700\u5927\u53d7\u653b\u64ca\u9762\u3002\u4e0d\u904e\u4e0a\u8ff0\u7684\u5176\u4ed6\u5e7e\u500b\u670d\u52d9\u4e5f\u6709\u53ef\u80fd\u88ab\u61c9\u7528\u985e\u4f3c\u7684\u653b\u64ca\u3002<\/p>\n<p>&nbsp;<\/p>\n<p><strong><em>\u9019\u53ef\u80fd\u9020\u6210\u4ec0\u9ebc\u50b7\u5bb3\uff1f<\/em><\/strong><\/p>\n<p>\u4e0a\u9762\u4f8b\u5b50\u53ea\u662f\u5c55\u793a\u4e86\u5982\u4f55\u5efa\u7acb\u4e00\u500b\u6a94\u6848\uff0c\u4f46\u5be6\u969b\u4e0a\u653b\u64ca\u8005\u53ef\u4ee5\u57f7\u884c\u4efb\u4f55Bash\u6240\u53ef\u4ee5\u63a5\u53d7\u7684\u6307\u4ee4\u3002\u9019\u53ef\u80fd\u662f\u4fee\u6539\u7db2\u9801\u4f3a\u670d\u5668\u4e0a\u7684\u5167\u5bb9\uff0c\u8b8a\u66f4\u7db2\u9801\u7a0b\u5f0f\u78bc\uff0c\u8b8a\u63db\u7db2\u7ad9\u5916\u89c0\uff0c\u5f9e\u8cc7\u6599\u5eab\u7aca\u53d6\u4f7f\u7528\u8005\u8cc7\u6599\uff0c\u8b8a\u66f4\u7db2\u7ad9\u4e0a\u7684\u6b0a\u9650\uff0c\u5b89\u88dd\u5f8c\u9580\u7a0b\u5f0f\u7b49\u3002<\/p>\n<p>\u8acb\u8a18\u4f4f\uff0c\u5b83\u6703\u4ee5\u7db2\u9801\u4f3a\u670d\u5668\u7684\u904b\u884c\u4f7f\u7528\u8005\u8eab\u4efd\u4f86\u57f7\u884c\u3002\u9019\u4f7f\u7528\u8005\u901a\u5e38\u662fhttpd\u3002\u8981\u6ce8\u610f\u7684\u662f\u9019\u6f0f\u6d1e\u4e26\u4e0d\u6703\u63d0\u5347\u6b0a\u9650\uff0c\u4f46\u5b83\u53ef\u4ee5\u548c\u53e6\u4e00\u500b\u672c\u5730\u6f0f\u6d1e\u5171\u540c\u904b\u4f5c\u4f86\u63d0\u5347\u5230root\u4f7f\u7528\u8005\u6b0a\u9650\u3002\u653b\u64ca\u8005\u5408\u4f75\u4e0d\u540c\u6f0f\u6d1e\u653b\u64ca\u4f86\u9032\u5165\u7cfb\u7d71\u7684\u624b\u6cd5\u4e26\u4e0d\u5c11\u898b\u3002<\/p>\n<p>Shell\u8173\u672c\u7a0b\u5f0f\u5728Linux\u4e0a\u88ab\u5ee3\u6cdb\u7684\u4f7f\u7528\uff0c\u9019\u610f\u5473\u8457\u6709\u5f88\u591a\u65b9\u6cd5\u4f86\u89f8\u767c\u6b64\u6f0f\u6d1e\u3002Bash\u88ab\u7528\u5728\u5927\u591a\u6578Unix\u548cLinux\u7cfb\u7d71\u4ee5\u53caOS X\u4e0a\u3002Red Hat Linux\uff0c\u4e16\u754c\u4e0a\u6700\u5927\u7684Linux\u4f9b\u61c9\u5546\u4e4b\u4e00\uff0c\u5728\u7d66<a href=\"https:\/\/access.redhat.com\/articles\/1200223\">\u5176\u5ba2\u6236\u7684\u516c\u544a<\/a>\u4e2d\u8aaa\u5230\uff1a\u300c\u7531\u65bcBash shell\u7684\u666e\u904d\u4f7f\u7528\uff0c\u9019\u500b\u554f\u984c\u5f88\u56b4\u91cd\uff0c\u5fc5\u9808\u8a8d\u771f\u5c0d\u5f85\u3002\u300d<\/p>\n<p>\u6b64\u5916\uff0c\u56e0\u70baLinux\uff08\u4e5f\u5c31\u662f\u8aaa\uff0c\u6709\u7528Bash\uff09\u88ab\u7528\u5728\u8a31\u591a\u5d4c\u5165\u5f0f\u7269\u806f\u7db2\uff08IoT\/IoE\uff09\u8a2d\u5099\u4e0a\uff0c\u9019\u4e9b\u8a2d\u5099\u6703\u5e36\u6709\u6b64\u6f0f\u6d1e\u4ee5\u53ca\u56f0\u96e3\u5230\u7121\u6cd5\u4fee\u88dc\u7684\u98a8\u96aa\u4e5f\u4e0d\u80fd\u6392\u9664\u3002\u6700\u5f8c\uff0c\u6709<a href=\"https:\/\/www.cryptocoinsnews.com\/bitcoin-at-risk-major-vulnerability-discovered-in-gnu-bash\/\">\u65b0\u805e<\/a>\u6307\u51fa\u6bd4\u7279\u5e63\/\u6bd4\u7279\u5e63\u63a1\u7926\u4e5f\u53ef\u80fd\u906d\u53d7\u6b64\u5b89\u5168\u554f\u984c\u5f71\u97ff\u3002<\/p>\n<p><strong><em>\u53d7\u5f71\u97ff\u7684 Bash\u7248\u672c\u6709\u54ea\u4e9b\uff1f<\/em><\/strong><\/p>\n<p>\u76f4\u5230\u4e26\u5305\u62ec4.3\u7684Bash\u7248\u672c\u90fd\u6703\u53d7\u6b64\u6f0f\u6d1e\u5f71\u97ff\u3002\u60f3\u8981\u78ba\u8a8d\uff0c\u8acb\u6aa2\u67e5\u4f60\u7684*nix\u5ee0\u5546\u7db2\u7ad9\u4f86\u78ba\u8a8d\u4fee\u88dc\u7248\u672c\u3002Redhat\u7684\u5ba2\u6236\u53ef\u4ee5\u53c3\u8003<a href=\"https:\/\/access.redhat.com\/articles\/1200223\">\u9019\u88e1<\/a>\u3002<\/p>\n<p><strong><em>\u6211\u73fe\u5728\u8a72\u600e\u9ebc\u505a\uff1f<\/em><\/strong><\/p>\n<p>\u9996\u8981\u4e4b\u52d9\u662f\u5347\u7d1aBash\u5230\u6700\u65b0\u7248\u672c\u3002\u6709\u9452\u65bc\u6b64\u653b\u64ca\u7684\u5c64\u7d1a\uff0c\u8acb\u8b8a\u66f4\u4f60\u7684SSH\u91d1\u9470\u4f86\u78ba\u4fdd\u4f60\u7db2\u9801\u4f3a\u670d\u5668\u7684\u5b8c\u6574\u6027\uff0c\u56e0\u70ba\u5b83\u5011\u53ef\u80fd\u5df2\u7d93\u88ab\u7aca\u3002\u6700\u597d\u4e5f\u8981\u8b8a\u66f4\u767b\u5165\u6191\u8b49\u4e26\u6aa2\u67e5\u8cc7\u6599\u5eab\u65e5\u8a8c\u4ee5\u67e5\u770b\u662f\u5426\u6709\u4efb\u4f55\u5927\u898f\u6a21\u8cc7\u6599\u67e5\u8a62\u52d5\u4f5c\u57f7\u884c\u3002<\/p>\n<p><strong><em>\u6211\u8a72\u5982\u4f55\u77e5\u9053\u88ab\u5229\u7528\u6b64\u6f0f\u6d1e\u653b\u64ca\uff1f<\/em><\/strong><\/p>\n<p>\u5982\u679c\u4f60\u4ed4\u7d30\u6aa2\u67e5\u4f60\u7684\u7db2\u9801\u4f3a\u670d\u5668\u65e5\u8a8c\uff0c\u5728\u5f88\u591a\u72c0\u6cc1\u4e0b\u4f60\u90fd\u53ef\u4ee5\u8b58\u5225\u9019\u7a2e\u653b\u64ca\u7684\u75d5\u8de1\u3002\u5728\u5b58\u53d6\u8a18\u9304\u4e2d\u67e5\u627e() {\u5b57\u4e32\u3002\u6b64\u5916\uff0c\u6709\u4e9b\u932f\u8aa4\u6703\u88ab\u8a18\u9304\u5728<em>error_log<\/em>\u3002\u4e0d\u904e\u8acb\u6ce8\u610f\uff0c\u5728\u67d0\u4e9b\u60c5\u6cc1\u4e0b\u4f60\u4e26\u7121\u6cd5\u767c\u73fe\u6b64\u7a2e\u653b\u64ca\u7684\u75d5\u8de1\u3002<\/p>\n<p>\u8da8\u52e2\u79d1\u6280<a href=\"https:\/\/www.trendmicro.tw\/tw\/enterprise\/cloud-solutions\/deep-security\/index.html\">Deep Security<\/a>\u00a0 \u7684\u5ba2\u6236\u53ef\u4ee5\u4f7f\u7528\u5b8c\u6574\u6027\u76e3\u63a7\u4f86\u6aa2\u67e5\u65e5\u8a8c\u4e26\u78ba\u4fdd\u7db2\u9801\u4f3a\u670d\u5668\u5167\u5bb9\u7684\u5b8c\u6574\u6027\u4e0d\u53d7\u5f71\u97ff\u3002<\/p>\n<p>&nbsp;<\/p>\n<p><strong><em>\u8da8\u52e2\u79d1\u6280\u63d0\u4f9b\u54ea\u4e9b\u91dd\u5c0d\u6b64\u6f0f\u6d1e\u7684\u9632\u8b77\uff1f<\/em><\/strong><\/p>\n<p>\u8da8\u52e2\u79d1\u6280\u00a0<a href=\"https:\/\/www.trendmicro.tw\/tw\/enterprise\/cloud-solutions\/deep-security\/index.html\">Deep Security<\/a>\u00a0\u7684\u5ba2\u6236\u5fc5\u9808\u66f4\u65b0DSRU14-028\u4e26\u555f\u7528\u4ee5\u4e0b\u898f\u5247\uff1a<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>1006256 \u2013 GNU Bash Remote Code Execution Vulnerability<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>\u6703\u6301\u7e8c\u63d0\u4f9b\u95dc\u65bc\u6b64\u6f0f\u6d1e\u7684\u66f4\u65b0,\u4f7f\u7528\u8005\u53ef\u4ee5\u7684<a href=\"https:\/\/blog.trendmicro.com.tw\/?cat=1761\">\u5230\u9019\u88e1<\/a>\u4f86\u7372\u5f97\u6700\u65b0\u8cc7\u8a0a\u3002<\/p>\n<p>&nbsp;<\/p>\n<p>\uff20\u539f\u6587\u51fa\u8655\uff1a<a title=\"Permanent Link: Bash Vulnerability Leads to Shellshock: What it is, How it Affects You\" href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/shell-attack-on-your-server-bash-bug-cve-2014-7169-and-cve-2014-6271\/\" rel=\"bookmark\"><span class=\"post_h2_a\">Bash Vulnerability Leads to Shellshock: What it is, How it Affects You<\/span><\/a>\u4f5c\u8005\uff1a<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/author\/pawanpavan\/\">Pavan Thorat\u548cPawan Kinger\uff08\u8da8\u52e2\u79d1\u6280Deep Security\u5be6\u9a57\u5ba4\uff09<\/a><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4f3a\u670d\u5668\u4e0a\u7684 Shell \u653b\u64ca\uff1aBash\u81ed\u87f2\u300cCVE-2014-7169\u300d\u548c\u300cCVE-2014-6271\u300d \u7e7c\u56db [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":9940,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[1761,1762,156,179],"tags":[1758,1759,1760,1763,452],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/9929"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9929"}],"version-history":[{"count":0,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/9929\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/media\/9940"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9929"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9929"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9929"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}