[Emerging-Sigs] Bash 0-day

Will Metcalf wmetcalf at emergingthreatspro.com
Wed Sep 24 20:14:39 EDT 2014


Nice will get them into QA. looks like we should have a look at CUPS as
well.

Regards,

Will

On Wed, Sep 24, 2014 at 6:58 PM, Jake Warren <jake.warren at masergy.com>
wrote:

> Taking a stab at some rules for detecting malicious DHCP packets. Haven't
> been able to test these though. I haven't seen anybody post a PoC for
> injection via DHCP yet.
>
> //option 15 - domain name
> alert udp any 67 -> any 68 (msg:"Possible CVE-2014-6271 exploit attempt
> via malicious DHCP ACK - option 15"; content:"|02 01|"; depth:2;
> content:"|0f|"; distance:238; content:"|28 29 20 7b 20|"; distance:1;
> within:10; classtype:misc-attack; reference:url,
> access.redhat.com/articles/1200223; reference:cve,2014-6271; sid:xxxx;
> rev:1;)
>
> //option 67 - filename
> alert udp any 67 -> any 68 (msg:"Possible CVE-2014-6271 exploit attempt
> via malicious DHCP ACK - option 67"; content:"|02 01|"; depth:2;
> content:"|43|"; distance:238; content:"|28 29 20 7b 20|"; distance:1;
> within:10; classtype:misc-attack; reference:url,
> access.redhat.com/articles/1200223; reference:cve,2014-6271; sid:xxxx;
> rev:1;)
>
> Reference Link:
> https://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/ckrh029
>
> -Jake Warren
>
>
>
> On Wed, Sep 24, 2014 at 5:07 PM, Will Metcalf <
> wmetcalf at emergingthreatspro.com> wrote:
>
>> We should have these rolled out shortly. went with the following. Regex
>> is to reduce FP's we had during testing.
>>
>> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER
>> Possible CVE-2014-6271 Attempt in URI"; flow:established,to_server;
>> content:"|28 29 20 7b 20|"; http_uri; fast_pattern:only;
>> pcre:"/[=?&\x2f]\s*?\x28\x29\x20\x7b\x20/U"; sid:2019231; rev:1;
>> classtype:attempted-admin; reference:url,
>> blogs.akamai.com/2014/09/environment-bashing.html;)
>>
>> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER
>> Possible CVE-2014-6271 Attempt in Headers"; flow:established,to_server;
>> content:"|28 29 20 7b 20|"; http_header; fast_pattern:only; sid:2019232;
>> rev:1; classtype:attempted-admin; reference:url,
>> blogs.akamai.com/2014/09/environment-bashing.html;)
>>
>> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER
>> Possible CVE-2014-6271 Attempt in Client Body"; flow:established,to_server;
>> content:"|28 29 20 7b 20|"; http_client_body; fast_pattern:only;
>> pcre:"/(?:^|[=?&])\s*?\x28\x29\x20\x7b\x20/P"; sid:2019233; rev:1;
>> classtype:attempted-admin; reference:url,
>> blogs.akamai.com/2014/09/environment-bashing.html;)
>>
>>
>> On Wed, Sep 24, 2014 at 4:59 PM, Jake Warren <jake.warren at masergy.com>
>> wrote:
>>
>>> Here's my attempt at some rules for the cgi attack vector. Poorly
>>> written rules with horrible performance but they do at least catch the
>>> initial PoC attacks. :-)
>>>
>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Possible
>>> CVE-2014-6271 exploit attempt via HTTP headers"; content:"|28|";
>>> http_header; content:"|29|"; http_header; distance:0; within:10;
>>> content:"|7b|"; http_header; distance:0; within:10; content:"|3a|";
>>> http_header; distance:0; within:10; content:"|3b|"; http_header;
>>> distance:0; within:10; content:"|7d|"; http_header; fast_pattern;
>>> distance:0; within:10; content:"|3b|"; http_header; distance:0; within:10;
>>> classtype:web-application-attack; reference:cve,2014-6271; sid:xxxx; rev:1;)
>>>
>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Possible
>>> CVE-2014-6271 exploit attempt via HTTP URI"; content:"|28|"; http_uri;
>>> content:"|29|"; http_uri; distance:0; within:10; content:"|7b|"; http_uri;
>>> distance:0; within:10; content:"|3a|"; http_uri; distance:0; within:10;
>>> content:"|3b|"; http_uri; distance:0; within:10; content:"|7d|"; http_uri;
>>> fast_pattern; distance:0; within:10; content:"|3b|"; http_uri; distance:0;
>>> within:10; classtype:web-application-attack; reference:cve,2014-6271;
>>> sid:xxxx; rev:1;)
>>>
>>> -Jake Warren
>>>
>>>
>>> On Wed, Sep 24, 2014 at 12:54 PM, Darien Huss <dhuss at emergingthreats.net
>>> > wrote:
>>>
>>>> Thanks Cooper, we should have something going out today for this.
>>>>
>>>> Regards,
>>>> Darien
>>>>
>>>> On Wed, Sep 24, 2014 at 1:33 PM, Cooper F. Nelson <cnelson at ucsd.edu>
>>>> wrote:
>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> This popped up on one of my mailing lists today:
>>>>>
>>>>> >
>>>>> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>>>>>
>>>>> This is an example of the exploit code:
>>>>>
>>>>> > $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>>>>> >  vulnerable
>>>>> >  this is a test
>>>>>
>>>>> I'm not sure of what would be the best way to detect this, as its
>>>>> potentially exploitable via multiple ports/protocols and I suspect
>>>>> trivial to obfuscate.
>>>>>
>>>>> - --
>>>>> Cooper Nelson
>>>>> Network Security Analyst
>>>>> UCSD ACT Security Team
>>>>> cnelson at ucsd.edu x41042
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG v2.0.17 (MingW32)
>>>>>
>>>>> iQEcBAEBAgAGBQJUIwBXAAoJEKIFRYQsa8FW3+4H/3qMEZ5MirfKyd21/TyyWXgy
>>>>> BLiIlNojmmB/xG+vcgjI9efTY+i6+6gE4zPl0ID6EOU89m/oCEcghO9zw09arO3H
>>>>> YmFeJRZjpIK3iym+FGZMIDvo2F4tt76Oo+58wWxYqkNjYUKWVde6e18wp15hPx/L
>>>>> Uy1S1Ec3AozhEjNcFgUR6vI7hRz+bmEv5Qa2dLfsiEuWBkJvTw9wYnHYjFgrNMOm
>>>>> 3w6lyJmkOC2R+/A0CD436IbnEg55uSwL6kE0pdGfmx4b9kHpJ9Wauj3lLsUUo/PF
>>>>> ja0FhmeGhtfjzrSlJXw7mWUKXMujPviYZswzGZWyQknfktFwHLKplM+cz4LBaZQ=
>>>>> =VV4h
>>>>> -----END PGP SIGNATURE-----
>>>>> _______________________________________________
>>>>> Emerging-sigs mailing list
>>>>> Emerging-sigs at lists.emergingthreats.net
>>>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>
>>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>>> http://www.emergingthreats.net
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at lists.emergingthreats.net
>>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>> http://www.emergingthreats.net
>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreats.net
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140924/1fa8e64c/attachment-0001.html>


More information about the Emerging-sigs mailing list