20140925曝出的来的漏洞,该漏洞对电脑用户构成的威胁可能比今年4月发现的“心脏流血”(Heartbleed)漏洞更大.
网络安全公司Rapid7工程部经理托德·贝尔德斯利(Tod Beardsley)警告称,Bash漏洞的严重级别为“10”,意味着它对用户电脑的威胁最大。Bash漏洞的利用复杂度级别为“低”,意味着黑客可以相对轻松地利用它发动攻击。
测试方法,执行下面命令
$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
vulnerable
this is a test
出现上面文字侧需要打补丁了.
我试了下centos5.4 5.5 6.0等都有问题
GNU bash, version 3.2.25(1)-release-(x86_64-redhat-linux-gnu)
GNU bash, version 4.1.2(1)-release-(x86_64-unknown-linux-gnu)
补救
yum -y update bash
升级后再测
env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test
如上显示就已修复
参考:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
No Responses (yet)
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.