[Emerging-Sigs] Bash 0-day

Christopher Lowson clowson at emergingthreats.net
Thu Sep 25 19:51:01 EDT 2014


Hello Everyone,

Would just like to update people there is another patch that just went live
for the vulnerability that looks like its 100%

http://www.ubuntu.com/usn/usn-2363-1/

On Thu, Sep 25, 2014 at 3:29 PM, Will Metcalf <
wmetcalf at emergingthreatspro.com> wrote:

> Already done :)... Will go out today.
>
> Regards,
>
> Will
>
> On Thu, Sep 25, 2014 at 2:19 PM, Jake Warren <jake.warren at masergy.com>
> wrote:
>
>> Thanks for sharing Liam. Looks like the DHCP sigs will need to be
>> reworked.
>>
>> Jake
>>
>>
>>
>> On Thu, Sep 25, 2014 at 2:11 PM, Liam Randall <liam.randall at gigaco.com>
>> wrote:
>>
>>> DHCP is out:
>>>
>>> https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
>>>
>>> Liam
>>>
>>> On Thu, Sep 25, 2014 at 3:06 PM, Will Metcalf <
>>> wmetcalf at emergingthreatspro.com> wrote:
>>>
>>>> Collapsing these into a single rule without specific option.
>>>>
>>>> Regards,
>>>>
>>>> Will
>>>>
>>>> On Wed, Sep 24, 2014 at 4:59 PM, Jake Warren <jake.warren at masergy.com>
>>>> wrote:
>>>>
>>>>> Here's my attempt at some rules for the cgi attack vector. Poorly
>>>>> written rules with horrible performance but they do at least catch the
>>>>> initial PoC attacks. :-)
>>>>>
>>>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
>>>>> (msg:"Possible CVE-2014-6271 exploit attempt via HTTP headers";
>>>>> content:"|28|"; http_header; content:"|29|"; http_header; distance:0;
>>>>> within:10; content:"|7b|"; http_header; distance:0; within:10;
>>>>> content:"|3a|"; http_header; distance:0; within:10; content:"|3b|";
>>>>> http_header; distance:0; within:10; content:"|7d|"; http_header;
>>>>> fast_pattern; distance:0; within:10; content:"|3b|"; http_header;
>>>>> distance:0; within:10; classtype:web-application-attack;
>>>>> reference:cve,2014-6271; sid:xxxx; rev:1;)
>>>>>
>>>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
>>>>> (msg:"Possible CVE-2014-6271 exploit attempt via HTTP URI"; content:"|28|";
>>>>> http_uri; content:"|29|"; http_uri; distance:0; within:10; content:"|7b|";
>>>>> http_uri; distance:0; within:10; content:"|3a|"; http_uri; distance:0;
>>>>> within:10; content:"|3b|"; http_uri; distance:0; within:10; content:"|7d|";
>>>>> http_uri; fast_pattern; distance:0; within:10; content:"|3b|"; http_uri;
>>>>> distance:0; within:10; classtype:web-application-attack;
>>>>> reference:cve,2014-6271; sid:xxxx; rev:1;)
>>>>>
>>>>> -Jake Warren
>>>>>
>>>>>
>>>>> On Wed, Sep 24, 2014 at 12:54 PM, Darien Huss <
>>>>> dhuss at emergingthreats.net> wrote:
>>>>>
>>>>>> Thanks Cooper, we should have something going out today for this.
>>>>>>
>>>>>> Regards,
>>>>>> Darien
>>>>>>
>>>>>> On Wed, Sep 24, 2014 at 1:33 PM, Cooper F. Nelson <cnelson at ucsd.edu>
>>>>>> wrote:
>>>>>>
>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>> Hash: SHA1
>>>>>>>
>>>>>>> This popped up on one of my mailing lists today:
>>>>>>>
>>>>>>> >
>>>>>>> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>>>>>>>
>>>>>>> This is an example of the exploit code:
>>>>>>>
>>>>>>> > $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>>>>>>> >  vulnerable
>>>>>>> >  this is a test
>>>>>>>
>>>>>>> I'm not sure of what would be the best way to detect this, as its
>>>>>>> potentially exploitable via multiple ports/protocols and I suspect
>>>>>>> trivial to obfuscate.
>>>>>>>
>>>>>>> - --
>>>>>>> Cooper Nelson
>>>>>>> Network Security Analyst
>>>>>>> UCSD ACT Security Team
>>>>>>> cnelson at ucsd.edu x41042
>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>> Version: GnuPG v2.0.17 (MingW32)
>>>>>>>
>>>>>>> iQEcBAEBAgAGBQJUIwBXAAoJEKIFRYQsa8FW3+4H/3qMEZ5MirfKyd21/TyyWXgy
>>>>>>> BLiIlNojmmB/xG+vcgjI9efTY+i6+6gE4zPl0ID6EOU89m/oCEcghO9zw09arO3H
>>>>>>> YmFeJRZjpIK3iym+FGZMIDvo2F4tt76Oo+58wWxYqkNjYUKWVde6e18wp15hPx/L
>>>>>>> Uy1S1Ec3AozhEjNcFgUR6vI7hRz+bmEv5Qa2dLfsiEuWBkJvTw9wYnHYjFgrNMOm
>>>>>>> 3w6lyJmkOC2R+/A0CD436IbnEg55uSwL6kE0pdGfmx4b9kHpJ9Wauj3lLsUUo/PF
>>>>>>> ja0FhmeGhtfjzrSlJXw7mWUKXMujPviYZswzGZWyQknfktFwHLKplM+cz4LBaZQ=
>>>>>>> =VV4h
>>>>>>> -----END PGP SIGNATURE-----
>>>>>>> _______________________________________________
>>>>>>> Emerging-sigs mailing list
>>>>>>> Emerging-sigs at lists.emergingthreats.net
>>>>>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>>>
>>>>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>>>>> http://www.emergingthreats.net
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Emerging-sigs mailing list
>>>>>> Emerging-sigs at lists.emergingthreats.net
>>>>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>>
>>>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>>>> http://www.emergingthreats.net
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Emerging-sigs mailing list
>>>>> Emerging-sigs at lists.emergingthreats.net
>>>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>
>>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>>> http://www.emergingthreats.net
>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at lists.emergingthreats.net
>>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>> http://www.emergingthreats.net
>>>>
>>>>
>>>>
>>>
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140925/af39b93c/attachment-0001.html>


More information about the Emerging-sigs mailing list