[Bro] CVE-2014-6271/ detection script
Nicholas Weaver
nweaver at ICSI.Berkeley.EDU
Thu Sep 25 08:06:43 PDT 2014
On Sep 24, 2014, at 8:18 PM, Gary Faulkner <gfaulkner.nsm at gmail.com> wrote:
> Critical Stack has a version as well:
> https://github.com/CriticalStack/bro-scripts/tree/cve-2014-6271/bash-cve-2014-6271
The constraints based on experimenting that I just did to independently validate Liam's script:
The regexp its keying in on:
/\x28\x29\x20\x7b\x20/
"() { "
Is correct: adding/changing whitespace or other characters between the () or ) {, and removing the space after the { cause this to fail (but {\t MIGHT work, but my limited shell fu is not able to check that case).
However, does anyone know if any web servers will urldecode headers?
--
Nicholas Weaver it is a tale, told by an idiot,
nweaver at icsi.berkeley.edu full of sound and fury,
510-666-2903 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140925/b32b9902/attachment.bin
More information about the Bro
mailing list