http header POC cve-2014-6271

CriticalStack-Dev · CriticalStack-Dev · commit c8359a5f19f4 · 2014-09-24T19:21:30.000-04:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,46 @@
+# Compiled source #
+###################
+*.com
+*.class
+*.dll
+*.exe
+*.o
+*.so
+
+# Packages #
+############
+# it's better to unpack these files and commit the raw source
+# git has its own built in compression methods
+*.7z
+*.dmg
+*.gz
+*.iso
+*.jar
+*.rar
+*.tar
+*.zip
+
+# Logs and databases #
+######################
+*.log
+*.sql
+*.sqlite
+
+# OS generated files #
+######################
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+
+# Presentations #
+#################
+.key
+
+
+.state
+.state/
+.!*!*
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2014, Critical Stack LLC
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of the {organization} nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/bash-cve-2014-6271/README.md b/bash-cve-2014-6271/README.md
@@ -0,0 +1,114 @@
+CVE-2014-6271
+===
+
+[1. Overview](#overview)
+[2. HTTP Header](#httpheader)
+
+<a name="overview"></a>
+##1. Overview
+===
+
+**CVE-2014-6271** is a real nasty one; this vulnerability is in one of those pervasive pieces of software that comes with nearly every unixy type device- the [bash](http://tiswww.case.edu/php/chet/bash/bashtop.html), the Bourne-Again SHell.  Let's test to see if your servers|workstations|internet-of-things is vulnerable:
+
+Open a shell and paste:
+```
+env x='() { :;}; echo vulnerable' bash -c 'echo hello'
+```
+
+If you are not vulnerable, then the following will be shown:
+```
+bash: warning: x: ignoring function definition attempt
+bash: error importing function definition for `x'
+hello
+```
+If you are vulnerable, then you will see:
+```
+vulnerable
+hello
+```
+
+If you are vulnerable you should update your device immediately.  I have a feeling that this is the kind of exploit that is going to start cropping up in a large variety of cases.  I'll try to keep this updated to detect the various methods as the situation evolves.
+
+<a name="httpheader"></a>
+##2. HTTP Header Attack
+===
+
+
+First POC is out- attempting to attack bash based cgi scripts; [internet wide scans](http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html) have been kicked off and I expect to see this genuinely weaponized before the evening is out. 
+
+A vulnerable piece of code will look something like this:
+
+```
+#!/bin/bash
+
+echo Content-type: text/html
+echo ""
+
+/bin/cat << EOM
+<HTML>
+<HEAD><TITLE>File Output: /home/user1/public_html/text-file.txt </TITLE>
+</HEAD>
+<BODY bgcolor="#cccccc" text="#000000">
+<P>
+<SMALL>
+<PRE>
+EOM
+
+/bin/env
+
+CAT << EOM
+</PRE>
+</SMALL>
+<P>
+</BODY>
+</HTML>
+EOM
+```
+[[source](http://www.yolinux.com/TUTORIALS/LinuxTutorialCgiShellScript.html) 
+
+This piece of code will output something like this:
+```
+<HTML>
+<HEAD><TITLE>File Output: /home/user1/public_html/text-file.txt </TITLE>
+</HEAD>
+<BODY bgcolor="#cccccc" text="#000000">
+<P>
+<SMALL>
+<PRE>
+SERVER_SIGNATURE=
+Apache/2.0.40 Server at localhost Port 80
+
+
+UNIQUE_ID=DErk6n8AAAEAAAblFQEAAAAD
+HTTP_USER_AGENT=Mozilla/4.8 [en] (X11; U; Linux 2.4.18-27.8.0 i586)
+SERVER_PORT=80
+HTTP_HOST=localhost
+DOCUMENT_ROOT=/var/www/html
+HTTP_ACCEPT_CHARSET=iso-8859-1,*,utf-8
+SCRIPT_FILENAME=/var/www/cgi-bin/env.sh
+REQUEST_URI=/cgi-bin/env.sh
+SCRIPT_NAME=/cgi-bin/env.sh
+HTTP_CONNECTION=Keep-Alive
+REMOTE_PORT=32984
+PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
+PWD=/var/www/cgi-bin
+SERVER_ADMIN=root@localhost
+HTTP_ACCEPT_LANGUAGE=en
+HTTP_ACCEPT=image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
+REMOTE_ADDR=127.0.0.1
+SHLVL=1
+SERVER_NAME=localhost
+SERVER_SOFTWARE=Apache/2.0.40 (Red Hat Linux)
+QUERY_STRING=
+SERVER_ADDR=127.0.0.1
+GATEWAY_INTERFACE=CGI/1.1
+SERVER_PROTOCOL=HTTP/1.0
+HTTP_ACCEPT_ENCODING=gzip
+REQUEST_METHOD=GET
+_=/bin/env
+</PRE>
+</SMALL>
+<P>
+</BODY>
+</HTML>
+```
diff --git a/bash-cve-2014-6271/http-bash-cgi-vuln.bro b/bash-cve-2014-6271/http-bash-cgi-vuln.bro
@@ -0,0 +1,24 @@
+module Bash;
+
+export {
+	redef enum Notice::Type += {
+		## Indicates that a host may have attempted a bash cgi header attack
+		HTTP_Header_Attack,
+	};
+}
+
+event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=3
+	{
+
+	if ( is_orig )
+		{
+		if ( /\x7b.*\x7d.*\x3b/ in value )
+			{
+			NOTICE([$note=Bash::HTTP_Header_Attack,
+				$conn=c,
+				$msg=fmt("%s may have attempted a bash CGI HTTP header attack against %s submitting \"%s\"=\"%s\"",c$id$orig_h, c$id$resp_h, name, value),
+				$identifier=c$uid]);
+			}
+		}
+	
+	}
