[Emerging-Sigs] Bash 0-day

Will Metcalf wmetcalf at emergingthreatspro.com
Wed Sep 24 19:53:49 EDT 2014


>curl -k -H 'User-Agent: ()       { :;}; echo aa>/tmp/aa'
https://localhost/cgi-bin/hi
>hai

Was aa actually created in this case? Multiple spaces failed for me in
testing. I actually needed |28 29 20 7b 20|

Regards,

Will

On Wed, Sep 24, 2014 at 6:04 PM, Markus Manzke <mm at mare-system.de> wrote:

>
> or: \(\).+{.+}.+;
>
>
>
>
> On 09/25/2014 12:58 AM, Markus Manzke wrote:
> >
> > as far as i can see this will work against the POC
> > curl -k -H 'User-Agent: () { :;}; echo aa>/tmp/aa'
> https://localhost/cgi-bin/hi
> > like here
> >
> http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/ckrbqac
> >
> > but will fail when using (please note the additional spaces)
> > curl -k -H 'User-Agent: ()       { :;}; echo aa>/tmp/aa'
> https://localhost/cgi-bin/hi
> > hai
> >
> > i'd go, although this is heavy, with the following regex (esp. for the
> headers):
> > \(\).*{.*}.*;
> >
> >
> >
> >
> > On 09/25/2014 12:07 AM, Will Metcalf wrote:
> >> We should have these rolled out shortly. went with the following. Regex
> is to reduce FP's we had during
> >> testing.
> >>
> >> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER
> Possible CVE-2014-6271 Attempt in
> >> URI"; flow:established,to_server; content:"|28 29 20 7b 20|"; http_uri;
> fast_pattern:only;
> >> pcre:"/[=?&\x2f]\s*?\x28\x29\x20\x7b\x20/U"; sid:2019231; rev:1;
> classtype:attempted-admin;
> >> reference:url,blogs.akamai.com/2014/09/environment-bashing.html
> >> <http://blogs.akamai.com/2014/09/environment-bashing.html>;)
> >>
> >> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER
> Possible CVE-2014-6271 Attempt in
> >> Headers"; flow:established,to_server; content:"|28 29 20 7b 20|";
> http_header; fast_pattern:only;
> >> sid:2019232; rev:1; classtype:attempted-admin;
> >> reference:url,blogs.akamai.com/2014/09/environment-bashing.html
> >> <http://blogs.akamai.com/2014/09/environment-bashing.html>;)
> >>
> >> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER
> Possible CVE-2014-6271 Attempt in
> >> Client Body"; flow:established,to_server; content:"|28 29 20 7b 20|";
> http_client_body;
> >> fast_pattern:only; pcre:"/(?:^|[=?&])\s*?\x28\x29\x20\x7b\x20/P";
> sid:2019233; rev:1;
> >> classtype:attempted-admin; reference:url,
> blogs.akamai.com/2014/09/environment-bashing.html
> >> <http://blogs.akamai.com/2014/09/environment-bashing.html>;)
> >>
> >>
> >> On Wed, Sep 24, 2014 at 4:59 PM, Jake Warren <jake.warren at masergy.com
> <mailto:jake.warren at masergy.com>>
> >> wrote:
> >>
> >>     Here's my attempt at some rules for the cgi attack vector. Poorly
> written rules with horrible
> >>     performance but they do at least catch the initial PoC attacks. :-)
> >>
> >>     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"Possible CVE-2014-6271 exploit
> >>     attempt via HTTP headers"; content:"|28|"; http_header;
> content:"|29|"; http_header; distance:0;
> >>     within:10; content:"|7b|"; http_header; distance:0; within:10;
> content:"|3a|"; http_header;
> >>     distance:0; within:10; content:"|3b|"; http_header; distance:0;
> within:10; content:"|7d|";
> >>     http_header; fast_pattern; distance:0; within:10; content:"|3b|";
> http_header; distance:0;
> >>     within:10; classtype:web-application-attack;
> reference:cve,2014-6271; sid:xxxx; rev:1;)
> >>
> >>     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"Possible CVE-2014-6271 exploit
> >>     attempt via HTTP URI"; content:"|28|"; http_uri; content:"|29|";
> http_uri; distance:0; within:10;
> >>     content:"|7b|"; http_uri; distance:0; within:10; content:"|3a|";
> http_uri; distance:0; within:10;
> >>     content:"|3b|"; http_uri; distance:0; within:10; content:"|7d|";
> http_uri; fast_pattern; distance:0;
> >>     within:10; content:"|3b|"; http_uri; distance:0; within:10;
> classtype:web-application-attack;
> >>     reference:cve,2014-6271; sid:xxxx; rev:1;)
> >>
> >>     -Jake Warren
> >>
> >>
> >>     On Wed, Sep 24, 2014 at 12:54 PM, Darien Huss <
> dhuss at emergingthreats.net
> >>     <mailto:dhuss at emergingthreats.net>> wrote:
> >>
> >>         Thanks Cooper, we should have something going out today for
> this.
> >>
> >>         Regards,
> >>         Darien
> >>
> >>         On Wed, Sep 24, 2014 at 1:33 PM, Cooper F. Nelson <
> cnelson at ucsd.edu <mailto:cnelson at ucsd.edu>>
> >>         wrote:
> >>
> >> This popped up on one of my mailing lists today:
> >>
> >>
> >>
> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
> >>
> >> This is an example of the exploit code:
> >>
> >>> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> >>>  vulnerable
> >>>  this is a test
> >>
> >> I'm not sure of what would be the best way to detect this, as its
> >> potentially exploitable via multiple ports/protocols and I suspect
> >> trivial to obfuscate.
> >>
> >>             _______________________________________________
> >>             Emerging-sigs mailing list
> >>             Emerging-sigs at lists.emergingthreats.net <mailto:
> Emerging-sigs at lists.emergingthreats.net>
> >>
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>
> >>             Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
> >>
> >>
> >>
> >>         _______________________________________________
> >>         Emerging-sigs mailing list
> >>         Emerging-sigs at lists.emergingthreats.net <mailto:
> Emerging-sigs at lists.emergingthreats.net>
> >>
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>
> >>         Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
> >>
> >>
> >>
> >>
> >>     _______________________________________________
> >>     Emerging-sigs mailing list
> >>     Emerging-sigs at lists.emergingthreats.net <mailto:
> Emerging-sigs at lists.emergingthreats.net>
> >>     https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>
> >>     Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Emerging-sigs mailing list
> >> Emerging-sigs at lists.emergingthreats.net
> >> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>
> >> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
> >>
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at lists.emergingthreats.net
> > https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
> >
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140924/d3976cd6/attachment-0001.html>


More information about the Emerging-sigs mailing list