Possible Remote code execution through Bash CVE-2014-6271 and a couple of scanner-Rules
58 views
Skip to first unread message
mex
Sep 24, 2014, 6:49:01 PM9/24/14
to naxsi-discuss
most important: ID 42000393 / Possible Remote code execution through
Bash CVE-2014-6271 (see references below)
Updates are available through Doxi-Rules
https://bitbucket.org/lazy_dogtown/doxi-rules/overview
[+] new sigs:
42000386 :: web_server.rules :: Nullbyte - Termination \0
42000387 :: scanner.rules :: Open Proxy-Autoconfig-Scan
42000388 :: scanner.rules :: Open Proxy-Autoconfig-Scan
42000389 :: scanner.rules :: Open Proxy-Autoconfig-Scan
42000390 :: scanner.rules :: UPNP-Scan
42000391 :: web_server.rules :: authorized_keys - Access
42000392 :: web_server.rules :: known_hosts Access
42000393 :: web_server.rules :: Possible Remote code execution
through Bash CVE-2014-6271 :
#
# sid: 42000393 | date: 2014-09-25 - 00:37
#
# http://seclists.org/oss-sec/2014/q3/649
# https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
# http://seclists.org/oss-sec/2014/q3/650
# http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
#
MainRule "rx:\(.*\).+{.*}.*;" "msg:Possible Remote code execution
through Bash CVE-2014-6271 : " "mz:HEADERS" "s:$ATTACK:8" id:42000393
;
#
# sid: 42000391 | date: 2014-09-24 - 16:41
#
# ssh authorized_keys - access
#
MainRule "str:/authorized_keys" "msg:authorized_keys - Access"
"mz:URL" "s:$UWA:8" id:42000391 ;
#
# sid: 42000386 | date: 2014-09-02 - 08:40
#
# http://security.stackexchange.com/questions/66414/getting-null-byte-injection-attacks-to-work-with-php-5-2-17
#
MainRule "str:\0" "msg:Nullbyte - Termination \0" "mz:BODY|URL|ARGS"
"s:$ATTACK:8" id:42000386 ;
#
# sid: 42000390 | date: 2014-09-23 - 20:50
#
# https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
#
MainRule "str:/gatedesc.xml" "msg:UPNP-Scan" "mz:URL" "s:$UWA:8" id:42000390 ;
#
# sid: 42000389 | date: 2014-09-23 - 20:49
#
# http://en.wikipedia.org/wiki/Proxy_auto-config
#
MainRule "str:wpad.dat" "msg:Open Proxy-Autoconfig-Scan" "mz:URL"
"s:$UWA:8" id:42000389 ;
#
# sid: 42000388 | date: 2014-09-23 - 20:49
#
# http://en.wikipedia.org/wiki/Proxy_auto-config
# https://isc.sans.edu/forums/diary/Web+Scan+looking+for+infowhitelistpac/18675
#
MainRule "str:proxy.pac" "msg:Open Proxy-Autoconfig-Scan" "mz:URL"
"s:$UWA:8" id:42000388 ;
#
# sid: 42000387 | date: 2014-09-23 - 20:49
#
# https://isc.sans.edu/forums/diary/Web+Scan+looking+for+infowhitelistpac/18675
#
MainRule "str:/whitelist.pac" "msg:Open Proxy-Autoconfig-Scan"
"mz:URL" "s:$UWA:8" id:42000387 ;
Bash CVE-2014-6271 (see references below)
Updates are available through Doxi-Rules
https://bitbucket.org/lazy_dogtown/doxi-rules/overview
[+] new sigs:
42000386 :: web_server.rules :: Nullbyte - Termination \0
42000387 :: scanner.rules :: Open Proxy-Autoconfig-Scan
42000388 :: scanner.rules :: Open Proxy-Autoconfig-Scan
42000389 :: scanner.rules :: Open Proxy-Autoconfig-Scan
42000390 :: scanner.rules :: UPNP-Scan
42000391 :: web_server.rules :: authorized_keys - Access
42000392 :: web_server.rules :: known_hosts Access
42000393 :: web_server.rules :: Possible Remote code execution
through Bash CVE-2014-6271 :
#
# sid: 42000393 | date: 2014-09-25 - 00:37
#
# http://seclists.org/oss-sec/2014/q3/649
# https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
# http://seclists.org/oss-sec/2014/q3/650
# http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
#
MainRule "rx:\(.*\).+{.*}.*;" "msg:Possible Remote code execution
through Bash CVE-2014-6271 : " "mz:HEADERS" "s:$ATTACK:8" id:42000393
;
#
# sid: 42000391 | date: 2014-09-24 - 16:41
#
# ssh authorized_keys - access
#
MainRule "str:/authorized_keys" "msg:authorized_keys - Access"
"mz:URL" "s:$UWA:8" id:42000391 ;
#
# sid: 42000386 | date: 2014-09-02 - 08:40
#
# http://security.stackexchange.com/questions/66414/getting-null-byte-injection-attacks-to-work-with-php-5-2-17
#
MainRule "str:\0" "msg:Nullbyte - Termination \0" "mz:BODY|URL|ARGS"
"s:$ATTACK:8" id:42000386 ;
#
# sid: 42000390 | date: 2014-09-23 - 20:50
#
# https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
#
MainRule "str:/gatedesc.xml" "msg:UPNP-Scan" "mz:URL" "s:$UWA:8" id:42000390 ;
#
# sid: 42000389 | date: 2014-09-23 - 20:49
#
# http://en.wikipedia.org/wiki/Proxy_auto-config
#
MainRule "str:wpad.dat" "msg:Open Proxy-Autoconfig-Scan" "mz:URL"
"s:$UWA:8" id:42000389 ;
#
# sid: 42000388 | date: 2014-09-23 - 20:49
#
# http://en.wikipedia.org/wiki/Proxy_auto-config
# https://isc.sans.edu/forums/diary/Web+Scan+looking+for+infowhitelistpac/18675
#
MainRule "str:proxy.pac" "msg:Open Proxy-Autoconfig-Scan" "mz:URL"
"s:$UWA:8" id:42000388 ;
#
# sid: 42000387 | date: 2014-09-23 - 20:49
#
# https://isc.sans.edu/forums/diary/Web+Scan+looking+for+infowhitelistpac/18675
#
MainRule "str:/whitelist.pac" "msg:Open Proxy-Autoconfig-Scan"
"mz:URL" "s:$UWA:8" id:42000387 ;
mex
Sep 24, 2014, 7:19:59 PM9/24/14
to naxsi-discuss
updated sig 42000393 - Possible Remote code execution through Bash CVE-2014-6271
MainRule "str:\(\).+{.+}.+;" "msg:Possible Remote code execution
MainRule "str:\(\).+{.+}.+;" "msg:Possible Remote code execution
through Bash CVE-2014-6271" "mz:HEADERS" "s:$ATTACK:8" id:42000393 ;
mex
Sep 24, 2014, 8:09:41 PM9/24/14
to naxsi-discuss
update 2, no regex needed
MainRule "str:() {" "msg:Possible Remote code execution through Bash
MainRule "str:() {" "msg:Possible Remote code execution through Bash
CVE-2014-6271" "mz:HEADERS" "s:$ATTACK:8" id:42000393 ;
2014-09-25 0:49 GMT+02:00 mex <lazy.d...@gmail.com>:
mex
Sep 25, 2014, 4:27:15 AM9/25/14
to naxsi-discuss
FYI http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html
I'm running a scan right now of the Internet to test for the recent
bash vulnerability, to see how widespread this is. My scan works by
stuffing a bunch of "ping home" commands in various CGI variables.
It's coming from IP address 209.126.230.72.
Update: Someone is using masscan to deliver malware. They'll likely
have compromised most of the system I've found by tomorrow morning. If
they using different URLs and fix the Host field, they'll get tons
more.
I'm running a scan right now of the Internet to test for the recent
bash vulnerability, to see how widespread this is. My scan works by
stuffing a bunch of "ping home" commands in various CGI variables.
It's coming from IP address 209.126.230.72.
Update: Someone is using masscan to deliver malware. They'll likely
have compromised most of the system I've found by tomorrow morning. If
they using different URLs and fix the Host field, they'll get tons
more.
bui
Sep 25, 2014, 4:32:35 AM9/25/14
to naxsi-discuss
Hi mex !
Smells like drama :)
--
You received this message because you are subscribed to the Google Groups "naxsi-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to naxsi-discus...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
mex
Sep 25, 2014, 4:39:54 AM9/25/14
to naxsi-discuss
i already saw some scanners hitting
> Smells like drama :)
not on my side (this time :)
foo ...
http://www.openwall.com/lists/oss-security/2014/09/24/17
"Note that on Linux systems where /bin/sh is symlinked to /bin/bash,
any popen() / system() calls from within languages such as PHP would
be of concern due to the ability to control HTTP_* in the env.
/mz"
$ ls -la /bin/sh
lrwxrwxrwx 1 root root 4 Mar 1 2012 /bin/sh -> dash
phew ':)
> Smells like drama :)
not on my side (this time :)
foo ...
http://www.openwall.com/lists/oss-security/2014/09/24/17
"Note that on Linux systems where /bin/sh is symlinked to /bin/bash,
any popen() / system() calls from within languages such as PHP would
be of concern due to the ability to control HTTP_* in the env.
/mz"
$ ls -la /bin/sh
lrwxrwxrwx 1 root root 4 Mar 1 2012 /bin/sh -> dash
phew ':)
Reply all
Reply to author
Forward
0 new messages