[Emerging-Sigs] Bash 0-day

Jake Warren jake.warren at masergy.com
Wed Sep 24 17:59:16 EDT 2014


Here's my attempt at some rules for the cgi attack vector. Poorly written
rules with horrible performance but they do at least catch the initial PoC
attacks. :-)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Possible
CVE-2014-6271 exploit attempt via HTTP headers"; content:"|28|";
http_header; content:"|29|"; http_header; distance:0; within:10;
content:"|7b|"; http_header; distance:0; within:10; content:"|3a|";
http_header; distance:0; within:10; content:"|3b|"; http_header;
distance:0; within:10; content:"|7d|"; http_header; fast_pattern;
distance:0; within:10; content:"|3b|"; http_header; distance:0; within:10;
classtype:web-application-attack; reference:cve,2014-6271; sid:xxxx; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Possible
CVE-2014-6271 exploit attempt via HTTP URI"; content:"|28|"; http_uri;
content:"|29|"; http_uri; distance:0; within:10; content:"|7b|"; http_uri;
distance:0; within:10; content:"|3a|"; http_uri; distance:0; within:10;
content:"|3b|"; http_uri; distance:0; within:10; content:"|7d|"; http_uri;
fast_pattern; distance:0; within:10; content:"|3b|"; http_uri; distance:0;
within:10; classtype:web-application-attack; reference:cve,2014-6271;
sid:xxxx; rev:1;)

-Jake Warren


On Wed, Sep 24, 2014 at 12:54 PM, Darien Huss <dhuss at emergingthreats.net>
wrote:

> Thanks Cooper, we should have something going out today for this.
>
> Regards,
> Darien
>
> On Wed, Sep 24, 2014 at 1:33 PM, Cooper F. Nelson <cnelson at ucsd.edu>
> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> This popped up on one of my mailing lists today:
>>
>> >
>> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>>
>> This is an example of the exploit code:
>>
>> > $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>> >  vulnerable
>> >  this is a test
>>
>> I'm not sure of what would be the best way to detect this, as its
>> potentially exploitable via multiple ports/protocols and I suspect
>> trivial to obfuscate.
>>
>> - --
>> Cooper Nelson
>> Network Security Analyst
>> UCSD ACT Security Team
>> cnelson at ucsd.edu x41042
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.17 (MingW32)
>>
>> iQEcBAEBAgAGBQJUIwBXAAoJEKIFRYQsa8FW3+4H/3qMEZ5MirfKyd21/TyyWXgy
>> BLiIlNojmmB/xG+vcgjI9efTY+i6+6gE4zPl0ID6EOU89m/oCEcghO9zw09arO3H
>> YmFeJRZjpIK3iym+FGZMIDvo2F4tt76Oo+58wWxYqkNjYUKWVde6e18wp15hPx/L
>> Uy1S1Ec3AozhEjNcFgUR6vI7hRz+bmEv5Qa2dLfsiEuWBkJvTw9wYnHYjFgrNMOm
>> 3w6lyJmkOC2R+/A0CD436IbnEg55uSwL6kE0pdGfmx4b9kHpJ9Wauj3lLsUUo/PF
>> ja0FhmeGhtfjzrSlJXw7mWUKXMujPviYZswzGZWyQknfktFwHLKplM+cz4LBaZQ=
>> =VV4h
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140924/2b8a570a/attachment-0001.html>


More information about the Emerging-sigs mailing list