[Bro] CVE-2014-6271/ detection script

[Gary Faulkner]

Oops, somehow I missed your email when I replied. Good work guys.

On 9/24/2014 10:12 PM, Liam Randall wrote:
> Hey Scott,
>
> Playing around with it, I couldn't get it to work via http headers with out
> starting with: "() { "
>
> I unsuccessfully tried URI encoding a few other things as well, so for now
> I put up:
>   \x28\x29\x20\x7b\x20
>
> Here's my crack at it:
> https://github.com/CriticalStack/bro-scripts/tree/master/bash-cve-2014-6271
>
> There are going to be a lot of other exploit vectors for this- dhcp, cups
> maybe?  I'm going to try and update mine as new POCs emerge.
>
> Would love feedback or examples to update the regex.
>
> Liam
>
> On Wed, Sep 24, 2014 at 10:53 PM, Scott Campbell <scampbell at lbl.gov> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I just posted a quick policy file which should look at header fields
>> and examine the data section for the telltale formatting of a bash
>> function.
>>
>> I have *not* tested this extensively, so please test before deploying.
>> Happy to update with better regex etc...
>>
>> https://github.com/set-element/misc-scripts/blob/master/header-test.bro
>>
>> cheers,
>> scott
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>>
>> iEYEARECAAYFAlQjg70ACgkQK2Plq8B7ZByhoACgzW+/Ks+8LzNErWW+TiVOnn8C
>> T+kAnjmS6ilxS6NbxFkybu8iI53NAq3Y
>> =d76q
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140924/5c37d8e0/attachment.html