From fdfac591c17f25ae4d0548493388808d88c00817 Mon Sep 17 00:00:00 2001 From: Mike Sconzo Date: Thu, 25 Sep 2014 14:36:37 -0500 Subject: [PATCH 1/6] slightly more permissive regex and initial attempt at connect-back detection --- bash-cve-2014-6271/bash-cve-2014-6271.bro | 24 +++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/bash-cve-2014-6271/bash-cve-2014-6271.bro b/bash-cve-2014-6271/bash-cve-2014-6271.bro index 4c1d2f1..3e821d2 100644 --- a/bash-cve-2014-6271/bash-cve-2014-6271.bro +++ b/bash-cve-2014-6271/bash-cve-2014-6271.bro @@ -6,6 +6,7 @@ # CHANGES: # 2014-9-24 Initial support for http header vector via mod_cgi # 2014-9-25 Added support for ignoring subnets to subnets +# 2014-9-25 Slightly more permissive regex and added connect-back detection module Bash; @@ -13,15 +14,17 @@ export { redef enum Notice::Type += { ## Indicates that a host may have attempted a bash cgi header attack HTTP_Header_Attack, + Connect_Back, }; # exclude hosts or entire networks from being tracked as potential "scanners". # index is conneciton subnet originators, yield is connection subnet responders const ignore_scanners: table[subnet] of subnet &redef; - } +global shellshock_hosts: set[addr] &create_expire=10min &synchronized; + event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=3 { @@ -31,13 +34,30 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr if ( is_orig ) { # This particular string seems to be necessary - if ( /\x28\x29\x20\x7b\x20/ in value) + if ( /\x28\x20*\x29\x20*\x7b\x20*/ in value) { NOTICE([$note=Bash::HTTP_Header_Attack, $conn=c, $msg=fmt("%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via HTTP mod_cgi header against %s submitting \"%s\"=\"%s\"",c$id$orig_h, c$id$resp_h, name, value), $identifier=c$uid]); + add shellshock_hosts[c$id$resp_h]; } } } + +event Conn::log_conn(rec: Conn::Info) + { + if ( rec$id$resp_h in shellshock_hosts && rec$id$resp_h == rec$id$orig_h ) + { + local c: connection; + local cid: conn_id; + c$id = cid; + c$uid = rec$uid; + c$id$orig_h = rec$id$orig_h; + c$id$resp_h = rec$id$resp_h; + c$id$resp_p = rec$id$resp_p; + NOTICE([$note=Bash::Connect_Back, $msg=fmt("Possible connect back from detected CVE-2014-6271 exploit(%s)", rec$id$resp_h), + $conn=c]); + } + } From 37693e103933465240d2ce916c959dcd1728c5be Mon Sep 17 00:00:00 2001 From: Mike Sconzo Date: Thu, 25 Sep 2014 14:43:41 -0500 Subject: [PATCH 2/6] added URI detection --- bash-cve-2014-6271/bash-cve-2014-6271.bro | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/bash-cve-2014-6271/bash-cve-2014-6271.bro b/bash-cve-2014-6271/bash-cve-2014-6271.bro index 3e821d2..1abd65a 100644 --- a/bash-cve-2014-6271/bash-cve-2014-6271.bro +++ b/bash-cve-2014-6271/bash-cve-2014-6271.bro @@ -6,7 +6,7 @@ # CHANGES: # 2014-9-24 Initial support for http header vector via mod_cgi # 2014-9-25 Added support for ignoring subnets to subnets -# 2014-9-25 Slightly more permissive regex and added connect-back detection +# 2014-9-25 Slightly more permissive regex and added connect-back detection, as well as URI detection module Bash; @@ -14,6 +14,7 @@ export { redef enum Notice::Type += { ## Indicates that a host may have attempted a bash cgi header attack HTTP_Header_Attack, + HTTP_URI_Attack, Connect_Back, }; @@ -46,6 +47,23 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr } +even http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) + { + if ( c$id$orig_h in ignore_scanners && c$id$resp_h in ignore_scanners[c$id$orig_h] ) + return; + + if ( is_orig ) + if ( /\x28\x20*\x29\x20*\x7b\x20*/ in original_URI) + { + NOTICE([$note=Bash::HTTP_URI_Attack, + $conn=c, + $msg=fmt("%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via HTTP mod_cgi URL against %s submitting \"%s\"=\"%s\"",c$id$orig_h, c$id$resp_h, name, value), + $identifier=c$uid]); + add shellshock_hosts[c$id$resp_h]; + } + + } + event Conn::log_conn(rec: Conn::Info) { if ( rec$id$resp_h in shellshock_hosts && rec$id$resp_h == rec$id$orig_h ) From 6f2b46a7882207e088aeab913b92d81409ce785c Mon Sep 17 00:00:00 2001 From: Mike Sconzo Date: Thu, 25 Sep 2014 14:46:05 -0500 Subject: [PATCH 3/6] fixed some bad ideas --- bash-cve-2014-6271/bash-cve-2014-6271.bro | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/bash-cve-2014-6271/bash-cve-2014-6271.bro b/bash-cve-2014-6271/bash-cve-2014-6271.bro index 1abd65a..d15994f 100644 --- a/bash-cve-2014-6271/bash-cve-2014-6271.bro +++ b/bash-cve-2014-6271/bash-cve-2014-6271.bro @@ -47,21 +47,19 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr } -even http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) +event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) { if ( c$id$orig_h in ignore_scanners && c$id$resp_h in ignore_scanners[c$id$orig_h] ) return; - if ( is_orig ) - if ( /\x28\x20*\x29\x20*\x7b\x20*/ in original_URI) - { - NOTICE([$note=Bash::HTTP_URI_Attack, - $conn=c, - $msg=fmt("%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via HTTP mod_cgi URL against %s submitting \"%s\"=\"%s\"",c$id$orig_h, c$id$resp_h, name, value), - $identifier=c$uid]); - add shellshock_hosts[c$id$resp_h]; - } - + if ( /\x28\x20*\x29\x20*\x7b\x20*/ in original_URI) + { + NOTICE([$note=Bash::HTTP_URI_Attack, + $conn=c, + $msg=fmt("%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via HTTP mod_cgi URL against %s", c$id$orig_h, c$id$resp_h), + $identifier=c$uid]); + add shellshock_hosts[c$id$resp_h]; + } } event Conn::log_conn(rec: Conn::Info) From 8fe04965b5907f1f71b9fc5647b2af785e10fe06 Mon Sep 17 00:00:00 2001 From: Mike Sconzo Date: Thu, 25 Sep 2014 20:52:25 -0500 Subject: [PATCH 4/6] fixed bug in uri portion --- bash-cve-2014-6271/bash-cve-2014-6271.bro | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/bash-cve-2014-6271/bash-cve-2014-6271.bro b/bash-cve-2014-6271/bash-cve-2014-6271.bro index d15994f..719b405 100644 --- a/bash-cve-2014-6271/bash-cve-2014-6271.bro +++ b/bash-cve-2014-6271/bash-cve-2014-6271.bro @@ -35,7 +35,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr if ( is_orig ) { # This particular string seems to be necessary - if ( /\x28\x20*\x29\x20*\x7b\x20*/ in value) + if ( /\x28\x20*\x29\x20*\x7b\x20*\x3a\x3b/ in value) { NOTICE([$note=Bash::HTTP_Header_Attack, $conn=c, @@ -51,8 +51,7 @@ event http_request(c: connection, method: string, original_URI: string, unescape { if ( c$id$orig_h in ignore_scanners && c$id$resp_h in ignore_scanners[c$id$orig_h] ) return; - - if ( /\x28\x20*\x29\x20*\x7b\x20*/ in original_URI) + if ( /\x28\x20*\x29\x20*\x7b\x20*\x3a\x3b/ in unescaped_URI) { NOTICE([$note=Bash::HTTP_URI_Attack, $conn=c, From 3093d84a3f979cb5f8ae4b14ecb3db79a7c453b8 Mon Sep 17 00:00:00 2001 From: Mike Sconzo Date: Thu, 25 Sep 2014 22:01:03 -0500 Subject: [PATCH 5/6] fixed the regex after doing some actual testing vs. being lazy --- bash-cve-2014-6271/bash-cve-2014-6271.bro | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bash-cve-2014-6271/bash-cve-2014-6271.bro b/bash-cve-2014-6271/bash-cve-2014-6271.bro index 719b405..59322e4 100644 --- a/bash-cve-2014-6271/bash-cve-2014-6271.bro +++ b/bash-cve-2014-6271/bash-cve-2014-6271.bro @@ -35,7 +35,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr if ( is_orig ) { # This particular string seems to be necessary - if ( /\x28\x20*\x29\x20*\x7b\x20*\x3a\x3b/ in value) + if ( /\x28\x29\x20+\x7b\x20+\x3a\x20*\x3b/ in value) { NOTICE([$note=Bash::HTTP_Header_Attack, $conn=c, @@ -51,7 +51,7 @@ event http_request(c: connection, method: string, original_URI: string, unescape { if ( c$id$orig_h in ignore_scanners && c$id$resp_h in ignore_scanners[c$id$orig_h] ) return; - if ( /\x28\x20*\x29\x20*\x7b\x20*\x3a\x3b/ in unescaped_URI) + if ( /\x28\x29\x20+\x7b\x20+\x3a\x20*\x3b/ in unescaped_URI) { NOTICE([$note=Bash::HTTP_URI_Attack, $conn=c, From 23531cebdbc6de6f158367a34d7a71c70c82618d Mon Sep 17 00:00:00 2001 From: Mike Sconzo Date: Thu, 25 Sep 2014 22:22:30 -0500 Subject: [PATCH 6/6] back to the original regex because I'm going crazy --- bash-cve-2014-6271/bash-cve-2014-6271.bro | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bash-cve-2014-6271/bash-cve-2014-6271.bro b/bash-cve-2014-6271/bash-cve-2014-6271.bro index 59322e4..145bc8b 100644 --- a/bash-cve-2014-6271/bash-cve-2014-6271.bro +++ b/bash-cve-2014-6271/bash-cve-2014-6271.bro @@ -35,7 +35,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr if ( is_orig ) { # This particular string seems to be necessary - if ( /\x28\x29\x20+\x7b\x20+\x3a\x20*\x3b/ in value) + if ( /\x28\x29\x20\x7b\x20/ in value) { NOTICE([$note=Bash::HTTP_Header_Attack, $conn=c, @@ -51,7 +51,7 @@ event http_request(c: connection, method: string, original_URI: string, unescape { if ( c$id$orig_h in ignore_scanners && c$id$resp_h in ignore_scanners[c$id$orig_h] ) return; - if ( /\x28\x29\x20+\x7b\x20+\x3a\x20*\x3b/ in unescaped_URI) + if ( /\x28\x29\x20\x7b\x20/ in unescaped_URI) { NOTICE([$note=Bash::HTTP_URI_Attack, $conn=c,