CVE-2014-6271是否通過ssh示例攻擊?


2

我已經在許多頁面上閱讀了有關CVE-2014-6271錯誤的信息,但是我仍然無法理解通過ssh利用它的可能性。

從我已閱讀的所有內容中,我找不到一個未經身份驗證即可執行一段代碼的示例。我只是想更好地理解錯誤,不涉及任何黑客入侵。

按照https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

攻擊者可以提供包含任意命令的特製環境變量,這些命令將在特定條件下在易受攻擊的系統上執行。新問題已分配給CVE-2014-7169。

1

You cannot circumvent authentication by exploiting this bug.

But SSH allows you to restrict what commands a user can run, e.g. by using ForceCommand in sshd_config. By exploiting this bug a user can circumvent this restriction and run any command she/he wants.


0

The bug occurs when bash gets executed with a specially crafted environment variable.

Remote exploitation over SSH is only possible when bash is executed. When the ForceCommand SSH option is in use, that command always gets executed using the login shell of the authenticated user (see the manual page of sshd_config).

Vulnerable configurations include public git services which normally restrict you to just running git commands. With this bug, you would be able to execute shell commands, bypassing the ForceCommand restriction. For a git daemon service, this could mean that you can access all repositories owned by the system user (bypassing access restrictions imposed by, say, gitolite).