Skip to content


曝Bash安全漏洞 比心血还严重 附测试及补救

20140925曝出的来的漏洞,该漏洞对电脑用户构成的威胁可能比今年4月发现的“心脏流血”(Heartbleed)漏洞更大.
网络安全公司Rapid7工程部经理托德·贝尔德斯利(Tod Beardsley)警告称,Bash漏洞的严重级别为“10”,意味着它对用户电脑的威胁最大。Bash漏洞的利用复杂度级别为“低”,意味着黑客可以相对轻松地利用它发动攻击。

测试方法,执行下面命令

  1. $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  2.  vulnerable
  3.  this is a test

出现上面文字侧需要打补丁了.

我试了下centos5.4 5.5 6.0等都有问题
GNU bash, version 3.2.25(1)-release-(x86_64-redhat-linux-gnu)
GNU bash, version 4.1.2(1)-release-(x86_64-unknown-linux-gnu)

补救

  1. yum -y update bash

升级后再测

  1. env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  2. bash: warning: x: ignoring function definition attempt
  3. bash: error importing function definition for `x'
  4. this is a test

如上显示就已修复

参考:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

Posted in 安全通告.

Tagged with , .


No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.