由bash:cve-2014-6271 学习execve 2

关于bash的测试方法如下:

root@localhost execve]# env x='() { :;}; echo valunerable' bash -c "echo this is a test"
valunerable
this is a test

我们使用ltrace 跟踪一下

strcpy(0x1260c10, ":")                           = 0x1260c10
malloc(16)                                       = 0x1260c30
free(0x1260a10)                                  = <void>
free(0x12609f0)                                  = <void>
free(0x1260a70)                                  = <void>
strcmp("execute-command", "execute-command")     = 0
free(0x1260a40)                                  = <void>
strlen("%s%s")                                   = 4
malloc(64)                                       = 0x1260c50
strlen("echo")                                   = 4
memcpy(0x1260c50, "echo", 4)                     = 0x1260c50
strlen(" ")                                      = 1
memcpy(0x1260c54, " ", 1)                        = 0x1260c54
strlen("%s%s")                                   = 4
strlen("valunerable")                            = 11
memcpy(0x1260c55, "valunerable", 11)             = 0x1260c55
strlen("")                                       = 0
strlen("echo valunerable")                       = 16
malloc(17)                                       = 0x12609f0
strcpy(0x12609f0, "echo valunerable")            = 0x12609f0
malloc(16)                                       = 0x1260ca0
strlen("echo")                                   = 4
malloc(5)                                        = 0x1260cc0
strcpy(0x1260cc0, "echo")                        = 0x1260cc0
malloc(16)                                       = 0x1260ce0
malloc(16)                                       = 0x1260d00
strlen("valunerable")                            = 11
malloc(12)                                       = 0x1260d20
strcpy(0x1260d20, "valunerable")                 = 0x1260d20
malloc(16)                                       = 0x1260d40
__ctype_get_mb_cur_max()                         = 6
strlen("echo")                 

看一下问题发生的的原因:

[root@localhost bash-4.2]# vim builtins/evalstring.c 
int
parse_and_execute (string, from_file, flags)
     char *string;
     const char *from_file;
     int flags;
{
...

 if (parse_command () == 0)
        {
          if ((flags & SEVAL_PARSEONLY) || (interactive_shell == 0 && read_but_dont_execute))
              此语句没有做函数边界判断
            {
              last_result = EXECUTION_SUCCESS;
              dispose_command (global_command);
              global_command = (COMMAND *)NULL;
            }
          else if (command = global_command)
            {
             //此语句如果执行,传入的函数则会被当作全局变量,然后全局变量后的代码则会执行成功
              struct fd_bitmap *bitmap;

              bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
              begin_unwind_frame ("pe_dispose");
              add_unwind_protect (dispose_fd_bitmap, bitmap);
              add_unwind_protect (dispose_command, command);    /* XXX */

              global_command = (COMMAND *)NULL;

              if ((subshell_environment & SUBSHELL_COMSUB) && comsub_ignore_return)
                command->flags |= CMD_IGNORE_RETURN;

void
initialize_shell_variables (env, privmode)
     char **env;
    create_variable_tables ();
  从ENV环境变量中获取参数
  for (string_index = 0; string = env[string_index++]; )
    {
      char_index = 0;
      name = string;
      while ((c = *string++) && c != '=')
        ;
      if (string[-1] == '=')
        char_index = string - name - 1;

      /* If there are weird things in the environment, like `=xxx' or a
         string without an `=', just skip them. */
      if (char_index == 0)
        continue;

      /* ASSERT(name[char_index] == '=') */
      name[char_index] = '\0';
      /* Now, name = env variable name, string = env variable value, and
         char_index == strlen (name) */

      temp_var = (SHELL_VAR *)NULL;

      /* If exported function, define it now.  Don't import functions from
         the environment in privileged mode. */
      if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
        bash函数的处理:
        {
          string_length = strlen (string);
          temp_string = (char *)xmalloc (3 + string_length + char_index);

          strcpy (temp_string, name);
          temp_string[char_index] = ' ';
          strcpy (temp_string + char_index + 1, string);
          这里调用了parse_and_execute ,再调用之前没有对temp_string 的边界进行检查
          parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);

          /* Ancient backwards compatibility.  Old versions of bash exported
             functions like name()=() {...} */
          if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
            name[char_index - 2] = '\0';

          if (temp_var = find_function (name))
            {
              VSETATTR (temp_var, (att_exported|att_imported));
              array_needs_making = 1;
            }
           else
            report_error (_("error importing function definition for `%s'"), name);

          /* ( */
          if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
            name[char_index - 2] = '(';         /* ) */
        }

官方提供的第一次patch

cat  bash-requires.patch 
diff -up bash-4.1/execute_cmd.c.requires bash-4.1/execute_cmd.c
--- bash-4.1/execute_cmd.c.requires	2010-08-02 17:42:41.000000000 +0200
+++ bash-4.1/execute_cmd.c	2010-08-02 17:42:41.000000000 +0200
@@ -503,6 +503,8 @@ async_redirect_stdin ()
 
 #define DESCRIBE_PID(pid) do { if (interactive) describe_pid (pid); } while (0)
 
+extern int rpm_requires;
+
 /* Execute the command passed in COMMAND, perhaps doing it asynchrounously.
    COMMAND is exactly what read_command () places into GLOBAL_COMMAND.
    ASYNCHROUNOUS, if non-zero, says to do this command in the background.
@@ -534,7 +536,13 @@ execute_command_internal (command, async
 #else
   if (breaking || continuing)
     return (last_command_exit_value);
-  if (command == 0 || read_but_dont_execute)
+  if (command == 0 || (read_but_dont_execute && !rpm_requires))
+    return (EXECUTION_SUCCESS);
+  if (rpm_requires && command->type == cm_function_def)//加入判断类型
+    return last_command_exit_value =
+      execute_intern_function (command->value.Function_def->name,
+                              command->value.Function_def->command);
+  if (read_but_dont_execute)
     return (EXECUTION_SUCCESS);
 #endif

但产生了一个新的问题:

[root@localhost ~]# env X='() { (x)=>\' bash -c "my echo valunerable"
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
[root@localhost ~]# cat my 
valunerable

由于函数体满足() { ,也没有发现”;”,bash在eval的时候遇到语法问题(x)=被忽略了,就执行>/my echo valunerable

第二次提供了

     /* If exported function, define it now.  Don't import functions from
 	 the environment in privileged mode. */
-      if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
-	{
-	  string_length = strlen (string);
-	  temp_string = (char *)xmalloc (3 + string_length + char_index);
+      if (privmode == 0 && read_but_dont_execute == 0
+	  && STREQN (FUNCDEF_PREFIX, name, FUNCDEF_PREFIX_LEN)
+	  && STREQ (name + char_index - FUNCDEF_SUFFIX_LEN, FUNCDEF_SUFFIX)
+	  && STREQN ("() {", string, 4)) //增加了函数边界判断
+	{
+	  size_t name_length
+	    = char_index - (FUNCDEF_PREFIX_LEN + FUNCDEF_SUFFIX_LEN);
+	  char *temp_name = name + FUNCDEF_PREFIX_LEN;
+	  /* Temporarily remove the suffix. */
+	  temp_name[name_length] = '\0';
 
-	  strcpy (temp_string, name);
-	  temp_string[char_index] = ' ';
-	  strcpy (temp_string + char_index + 1, string);
+	  string_length = strlen (string);
+	  temp_string = (char *)xmalloc (name_length + 1 + string_length + 1);
+	  memcpy (temp_string, temp_name, name_length);
+	  temp_string[name_length] = ' ';
+	  memcpy (temp_string + name_length + 1, string, string_length + 1);
 
 	  /* Don't import function names that are invalid identifiers from the
 	     environment, though we still allow them to be defined as shell
	     variables. */
-	  if (legal_identifier (name))
-	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+	  if (legal_identifier (temp_name))
+	    parse_and_execute (temp_string, temp_name,
+			       SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
 
-	  if (temp_var = find_function (name))
+	  if (temp_var = find_function (temp_name))
 	    {
 	      VSETATTR (temp_var, (att_exported|att_imported));
 	      array_needs_making = 1;
 	    }
 	  else
 	    report_error (_("error importing function definition for `%s'"), name);
+
+	  /* Restore the original suffix. */
+	  temp_name[name_length] = FUNCDEF_SUFFIX[0];
 	}
 #if defined (ARRAY_VARS)
 #  if 0
@@ -2537,7 +2557,7 @@
   var->context = variable_context;	/* XXX */
 
   INVALIDATE_EXPORTSTR (var);
-  var->exportstr = mk_env_string (name, value);
+  var->exportstr = mk_env_string (name, value, 0);
 
   array_needs_making = 1;
 
@@ -3388,22 +3408,43 @@
 /*								    */
 /* **************************************************************** */
 
+/* Returns the string NAME=VALUE if !FUNCTIONP or if VALUE == NULL (in
+   which case it is treated as empty).  Otherwise, decorate NAME with
+   FUNCDEF_PREFIX and FUNCDEF_SUFFIX, and return a string of the form
+   FUNCDEF_PREFIX NAME FUNCDEF_SUFFIX = VALUE (without spaces).  */
//增加了对函数的判断
 static inline char *
-mk_env_string (name, value)
+mk_env_string (name, value, functionp)
      const char *name, *value;
+     int functionp;
 {
-  int name_len, value_len;
-  char	*p;
+  size_t name_len, value_len;
+  char *p, *q;
 
   name_len = strlen (name);
   value_len = STRLEN (value);
-  p = (char *)xmalloc (2 + name_len + value_len);
-  strcpy (p, name);
-  p[name_len] = '=';
+  if (functionp && value != NULL)
+    {
+      p = (char *)xmalloc (FUNCDEF_PREFIX_LEN + name_len + FUNCDEF_SUFFIX_LEN
+			   + 1 + value_len + 1);
+      q = p;
+      memcpy (q, FUNCDEF_PREFIX, FUNCDEF_PREFIX_LEN);
+      q += FUNCDEF_PREFIX_LEN;
+      memcpy (q, name, name_len);
+      q += name_len;
+      memcpy (q, FUNCDEF_SUFFIX, FUNCDEF_SUFFIX_LEN);
+      q += FUNCDEF_SUFFIX_LEN;
+    }
+  else
+    {
+      p = (char *)xmalloc (name_len + 1 + value_len + 1);
+      memcpy (p, name, name_len);
+      q = p + name_len;
+    }
+  q[0] = '=';
   if (value && *value)
-    strcpy (p + name_len + 1, value);
+    memcpy (q + 1, value, value_len + 1);
   else
-    p[name_len + 1] = '\0';
+    q[1] = '\0';
   return (p);
 }


发表评论

您的电子邮箱地址不会被公开。