[Bro] CVE-2014-6271/ detection script

Jason Batchelor jxbatchelor at gmail.com
Thu Sep 25 10:06:32 PDT 2014

I took the version from Critical Stack and added the ability to whitelist
certain ranges. It may be valuable if, for example, you have an external
auditing service like White Hat Security conducting scans that you
don't deem actionable.

Perhaps a more broader discussion, but would it be a good idea to have a
global 'ip_whitelist' variable in Bro (assuming it doesn't have one)?
Something that is present, and must always be defined by the end user. Just
a thought, it might encourage future script writers to provision for things
like this. Of course, there is an even broader philisophical discussion on
whitelisting IP ranges, which is why I would suggest leaving the variable
as something that needs to be defined by the end user.


On Thu, Sep 25, 2014 at 10:06 AM, Nicholas Weaver <nweaver at icsi.berkeley.edu
> wrote:

> On Sep 24, 2014, at 8:18 PM, Gary Faulkner <gfaulkner.nsm at gmail.com>
> wrote:
> > Critical Stack has a version as well:
> >
> https://github.com/CriticalStack/bro-scripts/tree/cve-2014-6271/bash-cve-2014-6271
> The constraints based on experimenting that I just did to independently
> validate Liam's script:
> The regexp its keying in on:
> /\x28\x29\x20\x7b\x20/
> "() { "
> Is correct: adding/changing whitespace or other characters between the ()
> or ) {, and removing the space after the { cause this to fail (but {\t
> MIGHT work, but my limited shell fu is not able to check that case).
> However, does anyone know if any web servers will urldecode headers?
> --
> Nicholas Weaver                  it is a tale, told by an idiot,
> nweaver at icsi.berkeley.edu                full of sound and fury,
> 510-666-2903                                 .signifying nothing
> PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140925/22d6193f/attachment.html 
-------------- next part --------------
# Copyright (c) 2014 Critical Stack LLC.  All Rights Reserved.
# Liam Randall (@Hectaman)
# Set of detection routines to monitor for CVE-2014-6271
#       2014-9-7 Initial support for http header vector via mod_cgi
#       2014-9-25 Jason Batchelor: Added white listing support from known security vendor(s) IP ranges.
#                                                                               - WhiteHat Security
module Bash;

export {
        redef enum Notice::Type += {
                ## Indicates that a host may have attempted a bash cgi header attack

event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=3

        local whitelist = vector(;

        if ( is_orig )
                for ( w in whitelist )
                        if ( c$id$orig_h !in whitelist[w] )
                #               This particular string seems to be necessary
                                if ( /\x28\x29\x20\x7b\x20/ in value)
                                                $msg=fmt("%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via HTTP mod_cgi header against %s submitting \"%s\"=\"%s\"",c$id$orig_h, c$id$resp_h, name, value),

More information about the Bro mailing list