[Emerging-Sigs] Bash 0-day

Markus Manzke mm at mare-system.de
Wed Sep 24 20:06:52 EDT 2014



you are right, is has to be exactly "() {"
at least for the ua-exploit; did not tested
with body-params

makes it easy on my end, no regex :D


thanx for clarifying



On 09/25/2014 01:53 AM, Will Metcalf wrote:
>>curl -k -H 'User-Agent: ()       { :;}; echo aa>/tmp/aa'  https://localhost/cgi-bin/hi
>>hai
> 
> Was aa actually created in this case? Multiple spaces failed for me in testing. I actually needed |28 29
> 20 7b 20|
> 
> Regards,
> 
> Will
> 
> On Wed, Sep 24, 2014 at 6:04 PM, Markus Manzke <mm at mare-system.de <mailto:mm at mare-system.de>> wrote:
> 
> 
>     or: \(\).+{.+}.+;
> 
> 
> 
> 
>     On 09/25/2014 12:58 AM, Markus Manzke wrote:
>     >
>     > as far as i can see this will work against the POC
>     > curl -k -H 'User-Agent: () { :;}; echo aa>/tmp/aa'  https://localhost/cgi-bin/hi
>     > like here
>     > http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/ckrbqac
>     >
>     > but will fail when using (please note the additional spaces)
>     > curl -k -H 'User-Agent: ()       { :;}; echo aa>/tmp/aa'  https://localhost/cgi-bin/hi
>     > hai
>     >
>     > i'd go, although this is heavy, with the following regex (esp. for the headers):
>     > \(\).*{.*}.*;
>     >
>     >
>     >
>     >
>     > On 09/25/2014 12:07 AM, Will Metcalf wrote:
>     >> We should have these rolled out shortly. went with the following. Regex is to reduce FP's we had
>     during
>     >> testing.
>     >>
>     >> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in
>     >> URI"; flow:established,to_server; content:"|28 29 20 7b 20|"; http_uri; fast_pattern:only;
>     >> pcre:"/[=?&\x2f]\s*?\x28\x29\x20\x7b\x20/U"; sid:2019231; rev:1; classtype:attempted-admin;
>     >> reference:url,blogs.akamai.com/2014/09/environment-bashing.html
>     <http://blogs.akamai.com/2014/09/environment-bashing.html>
>     >> <http://blogs.akamai.com/2014/09/environment-bashing.html>;)
>     >>
>     >> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in
>     >> Headers"; flow:established,to_server; content:"|28 29 20 7b 20|"; http_header; fast_pattern:only;
>     >> sid:2019232; rev:1; classtype:attempted-admin;
>     >> reference:url,blogs.akamai.com/2014/09/environment-bashing.html
>     <http://blogs.akamai.com/2014/09/environment-bashing.html>
>     >> <http://blogs.akamai.com/2014/09/environment-bashing.html>;)
>     >>
>     >> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in
>     >> Client Body"; flow:established,to_server; content:"|28 29 20 7b 20|"; http_client_body;
>     >> fast_pattern:only; pcre:"/(?:^|[=?&])\s*?\x28\x29\x20\x7b\x20/P"; sid:2019233; rev:1;
>     >> classtype:attempted-admin; reference:url,blogs.akamai.com/2014/09/environment-bashing.html
>     <http://blogs.akamai.com/2014/09/environment-bashing.html>
>     >> <http://blogs.akamai.com/2014/09/environment-bashing.html>;)
>     >>
>     >>
>     >> On Wed, Sep 24, 2014 at 4:59 PM, Jake Warren <jake.warren at masergy.com
>     <mailto:jake.warren at masergy.com> <mailto:jake.warren at masergy.com <mailto:jake.warren at masergy.com>>>
>     >> wrote:
>     >>
>     >>     Here's my attempt at some rules for the cgi attack vector. Poorly written rules with horrible
>     >>     performance but they do at least catch the initial PoC attacks. :-)
>     >>
>     >>     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Possible CVE-2014-6271 exploit
>     >>     attempt via HTTP headers"; content:"|28|"; http_header; content:"|29|"; http_header; distance:0;
>     >>     within:10; content:"|7b|"; http_header; distance:0; within:10; content:"|3a|"; http_header;
>     >>     distance:0; within:10; content:"|3b|"; http_header; distance:0; within:10; content:"|7d|";
>     >>     http_header; fast_pattern; distance:0; within:10; content:"|3b|"; http_header; distance:0;
>     >>     within:10; classtype:web-application-attack; reference:cve,2014-6271; sid:xxxx; rev:1;)
>     >>
>     >>     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Possible CVE-2014-6271 exploit
>     >>     attempt via HTTP URI"; content:"|28|"; http_uri; content:"|29|"; http_uri; distance:0; within:10;
>     >>     content:"|7b|"; http_uri; distance:0; within:10; content:"|3a|"; http_uri; distance:0; within:10;
>     >>     content:"|3b|"; http_uri; distance:0; within:10; content:"|7d|"; http_uri; fast_pattern;
>     distance:0;
>     >>     within:10; content:"|3b|"; http_uri; distance:0; within:10; classtype:web-application-attack;
>     >>     reference:cve,2014-6271; sid:xxxx; rev:1;)
>     >>
>     >>     -Jake Warren
>     >>
>     >>
>     >>     On Wed, Sep 24, 2014 at 12:54 PM, Darien Huss <dhuss at emergingthreats.net
>     <mailto:dhuss at emergingthreats.net>
>     >>     <mailto:dhuss at emergingthreats.net <mailto:dhuss at emergingthreats.net>>> wrote:
>     >>
>     >>         Thanks Cooper, we should have something going out today for this.
>     >>
>     >>         Regards,
>     >>         Darien
>     >>
>     >>         On Wed, Sep 24, 2014 at 1:33 PM, Cooper F. Nelson <cnelson at ucsd.edu
>     <mailto:cnelson at ucsd.edu> <mailto:cnelson at ucsd.edu <mailto:cnelson at ucsd.edu>>>
>     >>         wrote:
>     >>
>     >> This popped up on one of my mailing lists today:
>     >>
>     >>
>     >>
>     https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>     >>
>     >> This is an example of the exploit code:
>     >>
>     >>> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>     >>>  vulnerable
>     >>>  this is a test
>     >>
>     >> I'm not sure of what would be the best way to detect this, as its
>     >> potentially exploitable via multiple ports/protocols and I suspect
>     >> trivial to obfuscate.
>     >>
>     >>             _______________________________________________
>     >>             Emerging-sigs mailing list
>     >>             Emerging-sigs at lists.emergingthreats.net
>     <mailto:Emerging-sigs at lists.emergingthreats.net> <mailto:Emerging-sigs at lists.emergingthreats.net
>     <mailto:Emerging-sigs at lists.emergingthreats.net>>
>     >>             https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >>
>     >>             Support Emerging Threats! Subscribe to Emerging Threats Pro
>     http://www.emergingthreats.net
>     >>
>     >>
>     >>
>     >>         _______________________________________________
>     >>         Emerging-sigs mailing list
>     >>         Emerging-sigs at lists.emergingthreats.net <mailto:Emerging-sigs at lists.emergingthreats.net>
>     <mailto:Emerging-sigs at lists.emergingthreats.net <mailto:Emerging-sigs at lists.emergingthreats.net>>
>     >>         https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >>
>     >>         Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>     >>
>     >>
>     >>
>     >>
>     >>     _______________________________________________
>     >>     Emerging-sigs mailing list
>     >>     Emerging-sigs at lists.emergingthreats.net <mailto:Emerging-sigs at lists.emergingthreats.net>
>     <mailto:Emerging-sigs at lists.emergingthreats.net <mailto:Emerging-sigs at lists.emergingthreats.net>>
>     >>     https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >>
>     >>     Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>     >>
>     >>
>     >>
>     >>
>     >>
>     >> _______________________________________________
>     >> Emerging-sigs mailing list
>     >> Emerging-sigs at lists.emergingthreats.net <mailto:Emerging-sigs at lists.emergingthreats.net>
>     >> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >>
>     >> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>     >>
>     > _______________________________________________
>     > Emerging-sigs mailing list
>     > Emerging-sigs at lists.emergingthreats.net <mailto:Emerging-sigs at lists.emergingthreats.net>
>     > https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >
>     > Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>     >
>     _______________________________________________
>     Emerging-sigs mailing list
>     Emerging-sigs at lists.emergingthreats.net <mailto:Emerging-sigs at lists.emergingthreats.net>
>     https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
>     Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
> 
> 


More information about the Emerging-sigs mailing list