[Bro] CVE-2014-6271/ detection script

Liam Randall liam.randall at gmail.com
Wed Sep 24 20:12:25 PDT 2014


Hey Scott,

Playing around with it, I couldn't get it to work via http headers with out
starting with: "() { "

I unsuccessfully tried URI encoding a few other things as well, so for now
I put up:
 \x28\x29\x20\x7b\x20

Here's my crack at it:
https://github.com/CriticalStack/bro-scripts/tree/master/bash-cve-2014-6271

There are going to be a lot of other exploit vectors for this- dhcp, cups
maybe?  I'm going to try and update mine as new POCs emerge.

Would love feedback or examples to update the regex.

Liam

On Wed, Sep 24, 2014 at 10:53 PM, Scott Campbell <scampbell at lbl.gov> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I just posted a quick policy file which should look at header fields
> and examine the data section for the telltale formatting of a bash
> function.
>
> I have *not* tested this extensively, so please test before deploying.
> Happy to update with better regex etc...
>
> https://github.com/set-element/misc-scripts/blob/master/header-test.bro
>
> cheers,
> scott
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools - http://gpgtools.org
>
> iEYEARECAAYFAlQjg70ACgkQK2Plq8B7ZByhoACgzW+/Ks+8LzNErWW+TiVOnn8C
> T+kAnjmS6ilxS6NbxFkybu8iI53NAq3Y
> =d76q
> -----END PGP SIGNATURE-----
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140924/9f670cfb/attachment.html 


More information about the Bro mailing list