[Emerging-Sigs] Bash 0-day

Will Metcalf wmetcalf at emergingthreatspro.com
Wed Sep 24 19:55:44 EDT 2014


Let me be clear.. After the first "|7b 20|" You can add whatever garbage
you want into the function declaration. But spacing before that had to be
exact in my testing at least. Do you actually find something different?

Regards,

Will

On Wed, Sep 24, 2014 at 6:53 PM, Will Metcalf <
wmetcalf at emergingthreatspro.com> wrote:

> >curl -k -H 'User-Agent: ()       { :;}; echo aa>/tmp/aa'
> https://localhost/cgi-bin/hi
> >hai
>
> Was aa actually created in this case? Multiple spaces failed for me in
> testing. I actually needed |28 29 20 7b 20|
>
> Regards,
>
> Will
>
> On Wed, Sep 24, 2014 at 6:04 PM, Markus Manzke <mm at mare-system.de> wrote:
>
>>
>> or: \(\).+{.+}.+;
>>
>>
>>
>>
>> On 09/25/2014 12:58 AM, Markus Manzke wrote:
>> >
>> > as far as i can see this will work against the POC
>> > curl -k -H 'User-Agent: () { :;}; echo aa>/tmp/aa'
>> https://localhost/cgi-bin/hi
>> > like here
>> >
>> http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/ckrbqac
>> >
>> > but will fail when using (please note the additional spaces)
>> > curl -k -H 'User-Agent: ()       { :;}; echo aa>/tmp/aa'
>> https://localhost/cgi-bin/hi
>> > hai
>> >
>> > i'd go, although this is heavy, with the following regex (esp. for the
>> headers):
>> > \(\).*{.*}.*;
>> >
>> >
>> >
>> >
>> > On 09/25/2014 12:07 AM, Will Metcalf wrote:
>> >> We should have these rolled out shortly. went with the following.
>> Regex is to reduce FP's we had during
>> >> testing.
>> >>
>> >> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER
>> Possible CVE-2014-6271 Attempt in
>> >> URI"; flow:established,to_server; content:"|28 29 20 7b 20|";
>> http_uri; fast_pattern:only;
>> >> pcre:"/[=?&\x2f]\s*?\x28\x29\x20\x7b\x20/U"; sid:2019231; rev:1;
>> classtype:attempted-admin;
>> >> reference:url,blogs.akamai.com/2014/09/environment-bashing.html
>> >> <http://blogs.akamai.com/2014/09/environment-bashing.html>;)
>> >>
>> >> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER
>> Possible CVE-2014-6271 Attempt in
>> >> Headers"; flow:established,to_server; content:"|28 29 20 7b 20|";
>> http_header; fast_pattern:only;
>> >> sid:2019232; rev:1; classtype:attempted-admin;
>> >> reference:url,blogs.akamai.com/2014/09/environment-bashing.html
>> >> <http://blogs.akamai.com/2014/09/environment-bashing.html>;)
>> >>
>> >> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER
>> Possible CVE-2014-6271 Attempt in
>> >> Client Body"; flow:established,to_server; content:"|28 29 20 7b 20|";
>> http_client_body;
>> >> fast_pattern:only; pcre:"/(?:^|[=?&])\s*?\x28\x29\x20\x7b\x20/P";
>> sid:2019233; rev:1;
>> >> classtype:attempted-admin; reference:url,
>> blogs.akamai.com/2014/09/environment-bashing.html
>> >> <http://blogs.akamai.com/2014/09/environment-bashing.html>;)
>> >>
>> >>
>> >> On Wed, Sep 24, 2014 at 4:59 PM, Jake Warren <jake.warren at masergy.com
>> <mailto:jake.warren at masergy.com>>
>> >> wrote:
>> >>
>> >>     Here's my attempt at some rules for the cgi attack vector. Poorly
>> written rules with horrible
>> >>     performance but they do at least catch the initial PoC attacks. :-)
>> >>
>> >>     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
>> (msg:"Possible CVE-2014-6271 exploit
>> >>     attempt via HTTP headers"; content:"|28|"; http_header;
>> content:"|29|"; http_header; distance:0;
>> >>     within:10; content:"|7b|"; http_header; distance:0; within:10;
>> content:"|3a|"; http_header;
>> >>     distance:0; within:10; content:"|3b|"; http_header; distance:0;
>> within:10; content:"|7d|";
>> >>     http_header; fast_pattern; distance:0; within:10; content:"|3b|";
>> http_header; distance:0;
>> >>     within:10; classtype:web-application-attack;
>> reference:cve,2014-6271; sid:xxxx; rev:1;)
>> >>
>> >>     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
>> (msg:"Possible CVE-2014-6271 exploit
>> >>     attempt via HTTP URI"; content:"|28|"; http_uri; content:"|29|";
>> http_uri; distance:0; within:10;
>> >>     content:"|7b|"; http_uri; distance:0; within:10; content:"|3a|";
>> http_uri; distance:0; within:10;
>> >>     content:"|3b|"; http_uri; distance:0; within:10; content:"|7d|";
>> http_uri; fast_pattern; distance:0;
>> >>     within:10; content:"|3b|"; http_uri; distance:0; within:10;
>> classtype:web-application-attack;
>> >>     reference:cve,2014-6271; sid:xxxx; rev:1;)
>> >>
>> >>     -Jake Warren
>> >>
>> >>
>> >>     On Wed, Sep 24, 2014 at 12:54 PM, Darien Huss <
>> dhuss at emergingthreats.net
>> >>     <mailto:dhuss at emergingthreats.net>> wrote:
>> >>
>> >>         Thanks Cooper, we should have something going out today for
>> this.
>> >>
>> >>         Regards,
>> >>         Darien
>> >>
>> >>         On Wed, Sep 24, 2014 at 1:33 PM, Cooper F. Nelson <
>> cnelson at ucsd.edu <mailto:cnelson at ucsd.edu>>
>> >>         wrote:
>> >>
>> >> This popped up on one of my mailing lists today:
>> >>
>> >>
>> >>
>> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>> >>
>> >> This is an example of the exploit code:
>> >>
>> >>> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>> >>>  vulnerable
>> >>>  this is a test
>> >>
>> >> I'm not sure of what would be the best way to detect this, as its
>> >> potentially exploitable via multiple ports/protocols and I suspect
>> >> trivial to obfuscate.
>> >>
>> >>             _______________________________________________
>> >>             Emerging-sigs mailing list
>> >>             Emerging-sigs at lists.emergingthreats.net <mailto:
>> Emerging-sigs at lists.emergingthreats.net>
>> >>
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >>
>> >>             Support Emerging Threats! Subscribe to Emerging Threats
>> Pro http://www.emergingthreats.net
>> >>
>> >>
>> >>
>> >>         _______________________________________________
>> >>         Emerging-sigs mailing list
>> >>         Emerging-sigs at lists.emergingthreats.net <mailto:
>> Emerging-sigs at lists.emergingthreats.net>
>> >>
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >>
>> >>         Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>> >>
>> >>
>> >>
>> >>
>> >>     _______________________________________________
>> >>     Emerging-sigs mailing list
>> >>     Emerging-sigs at lists.emergingthreats.net <mailto:
>> Emerging-sigs at lists.emergingthreats.net>
>> >>     https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >>
>> >>     Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> Emerging-sigs mailing list
>> >> Emerging-sigs at lists.emergingthreats.net
>> >> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >>
>> >> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>> >>
>> > _______________________________________________
>> > Emerging-sigs mailing list
>> > Emerging-sigs at lists.emergingthreats.net
>> > https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >
>> > Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>> >
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140924/f4348f43/attachment.html>


More information about the Emerging-sigs mailing list