bash-3.2# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
出現了vulneralbe,表示Bash Shell存在漏洞 CVE-2014-6271
再依下列的指令檢測:
bash-3.2# env X='() { (a)=>\' bash -c "echo date"; cat echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
Tue Sep 30 10:57:35 CST 2014
出現了時間,表示Bash Shell存在漏洞 CVE-2014-7169
因此到Metalink尋找解決的Patch,找到了Patch-ID# 126546-07,並將126546-07.zip下載下來。
不要在Windows 7的機器解壓縮後再上傳,不然有可能會像我出現下列的訊息,無法正確更新
# patchadd /var/spool/patch/126546-07
Validating patches...
Loading patches installed on the system...
Done!
Loading patches requested to install.
Done!
The following requested patches do not update any packages installed on the system
No Packages from patch 126546-07 are installed on the system.
No patches to dependency check.
直接將126546-07.zip上傳到Solaris的機器上面(例如上傳至/var/spool/patch),再解壓縮如下:
# cd /var/spool/patch
# unzip 126546-07.zip
Archive: 126546-07.zip
creating: 126546-07/
inflating: 126546-07/prepatch
inflating: 126546-07/patchinfo
inflating: 126546-07/postbackout
(...略)
解完壓縮後,執行更新步驟(我是在C Shell下執行的)
# patchadd /var/spool/patch/126546-07
Validating patches...
Loading patches installed on the system...
Done!
Loading patches requested to install.
Done!
The following requested patches have packages not installed on the system
Package SUNWbashS from directory SUNWbashS in patch 126546-07 is not installed on the system. Changes for package SUNWbashS will not be applied to the system.
Checking patches that you specified for installation.
Done!
Approved patches will be installed in this order:
126546-07
Checking installed patches...
Executing prepatch script...
Installing patch packages...
Patch 126546-07 has been successfully installed.
See /var/sadm/patch/126546-07/log for details
Executing postpatch script...
Patch packages installed:
SUNWbash
SUNWsfman
完成更新之後,再重新驗證一次
bash-3.2# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
沒有出現vulnerable
bash-3.2# env X='() { (shellshocker)=>\' bash -c "echo date"; cat echo ; rm -f echo
date
cat: cannot open echo
沒有出現日期
32位元
Key:IcxSquDqeWUGZDkLrD61j35mCti72tGFCcfuS5vBnOM
64位元
Key:cAb3LDPmc4NOeT7M2tpgZdroPsIVZG7BwhX_DRQ_3lU