shellshock破壳漏洞bash

bash破壳漏洞远程代码执行Bash Remote Code Execution (Shellshock)修补方案

Synopsis概述:
A system shell on the remote host is vulnerable to command injection.

bash破壳漏洞远程代码执行Bash Remote Code Execution (Shellshock)修补方案
shellshock破壳漏洞bash

Description漏洞描述
The remote host is running a version of Bash that is vulnerable to command injection via environment variable manipulation. Depending on the configuration of the system, an attacker could remotely execute arbitrary code.

Solution解决方案,就是升级bash
Update Bash.

See Also相关链接
Links:
seclists.org
nessus.org
invisiblethreat.ca
Plugin Output
漏洞证明:
Nessus was able to set the TERM environment variable used in an SSH
connection to :

() { :;}; /usr/bin/id > /tmp/nessus.1571832930
and read the output from the file :
uid=501(haha) gid=503(haha) groups=503(haha)
Note: Nessus has attempted to remove the file /tmp/nessus.1571832930

升级步骤:

[root@haha ~]# yum update bash
Loaded plugins: fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
ifengcdn | 2.3 kB 00:00
Not using downloaded repomd.xml because it is older than what we have:
Current : Thu Oct 17 11:13:35 2019
Downloaded: Thu Oct 17 10:45:20 2019
38 packages excluded due to repository priority protections
Setting up Update Process
Resolving Dependencies
–> Running transaction check 提示可以从15升级到48
—> Package bash.x86_64 0:4.1.2-15.el6_4 will be updated
—> Package bash.x86_64 0:4.1.2-48.el6 will be an update
–> Finished Dependency Resolution

Dependencies Resolved

============================================================================
Package Arch Version Repository Size
============================================================================
Updating:
bash x86_64 4.1.2-48.el6 ifengcdnbase 910 k

Transaction Summary
============================================================================
Upgrade 1 Package(s)

Total download size: 910 k
Is this ok [y/N]: y
Downloading Packages:
bash-4.1.2-48.el6.x86_64.rpm | 910 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
** Found 3 pre-existing rpmdb problem(s), ‘yum check’ output follows:
libselinux-devel-2.0.94-7.el6.x86_64 has missing requires of libselinux = (‘0’, ‘2.0.94’, ‘7.el6’)
libselinux-ruby-2.0.94-7.el6.x86_64 has missing requires of libselinux = (‘0’, ‘2.0.94’, ‘7.el6’)
libselinux-utils-2.0.94-7.el6.x86_64 has missing requires of libselinux = (‘0’, ‘2.0.94’, ‘7.el6’)
Updating : bash-4.1.2-48.el6.x86_64 1/2
Error unpacking rpm package bash-4.1.2-48.el6.x86_64
这里有一个明显的报错:
error: unpacking of archive failed on file /bin/bash: cpio: rename
Verifying : bash-4.1.2-48.el6.x86_64 1/2
bash-4.1.2-15.el6_4.x86_64 was supposed to be removed but is not!
Verifying : bash-4.1.2-15.el6_4.x86_64 2/2
失败了:
Failed:
bash.x86_64 0:4.1.2-15.el6_4 bash.x86_64 0:4.1.2-48.el6

Complete!
这个很好解决,就是系统文件保护导致的:
[root@haha ~]# lsattr /usr/bin/bash
lsattr: No such file or directory while trying to stat /usr/bin/bash
[root@haha ~]# lsattr /bin/bash
—-i——–e- /bin/bash
去掉i属性再试试:
[root@haha ~]# chattr -i /bin/bash
[root@haha ~]# yum update bash
Loaded plugins: fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
ifengcdn | 2.3 kB 00:00
Not using downloaded repomd.xml because it is older than what we have:
Current : Thu Oct 17 11:13:35 2019
Downloaded: Thu Oct 17 10:45:20 2019
38 packages excluded due to repository priority protections
Setting up Update Process
Resolving Dependencies
–> Running transaction check
—> Package bash.x86_64 0:4.1.2-15.el6_4 will be updated
—> Package bash.x86_64 0:4.1.2-48.el6 will be an update
–> Finished Dependency Resolution

Dependencies Resolved

============================================================================
Package Arch Version Repository Size
============================================================================
Updating:
bash x86_64 4.1.2-48.el6 ifengcdnbase 910 k

Transaction Summary
============================================================================
Upgrade 1 Package(s)

Total download size: 910 k
Is this ok [y/N]: y
Downloading Packages:
bash-4.1.2-48.el6.x86_64.rpm | 910 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : bash-4.1.2-48.el6.x86_64 1/2
Cleanup : bash-4.1.2-15.el6_4.x86_64 2/2
Verifying : bash-4.1.2-48.el6.x86_64 1/2
Verifying : bash-4.1.2-15.el6_4.x86_64 2/2

Updated:
bash.x86_64 0:4.1.2-48.el6
成功了
Complete!
[root@haha ~]# rpm -qa|grep bash
bash-4.1.2-48.el6.x86_64