Mittwoch, 24. September 2014

Ruleset-Update: Possible Remote code execution through Bash CVE-2014-6271 and some Scanner-Sigs

most important: ID 42000393 / Possible Remote code execution through Bash CVE-2014-6271 (see references below)

Updates are available through Doxi-Rules https://bitbucket.org/lazy_dogtown/doxi-rules/overview

german blogpost with additional infos on CVE-2014-6271 / Possible Remote code execution through Bash


[+] new sigs:
  42000386 :: web_server.rules     :: Nullbyte - Termination \0
  42000387 :: scanner.rules        :: Open Proxy-Autoconfig-Scan
  42000388 :: scanner.rules        :: Open Proxy-Autoconfig-Scan
  42000389 :: scanner.rules        :: Open Proxy-Autoconfig-Scan
  42000390 :: scanner.rules        :: UPNP-Scan
  42000391 :: web_server.rules     :: authorized_keys - Access
  42000392 :: web_server.rules     :: known_hosts Access
  42000393 :: web_server.rules     :: Possible Remote code execution
through Bash CVE-2014-6271 :

#
# sid: 42000393 | date: 2014-09-25 - 00:37
#
# http://seclists.org/oss-sec/2014/q3/649
# https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
# http://seclists.org/oss-sec/2014/q3/650
# http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
#
MainRule "str:() {" "msg:Possible Remote code execution through Bash CVE-2014-6271" "mz:BODY|HEADERS" "s:$ATTACK:8" id:42000393  ;


#
# sid: 42000391 | date: 2014-09-24 - 16:41
#
# ssh authorized_keys - access
#
MainRule "str:/authorized_keys" "msg:authorized_keys - Access"
"mz:URL" "s:$UWA:8" id:42000391  ;


#
# sid: 42000386 | date: 2014-09-02 - 08:40
#
# http://security.stackexchange.com/questions/66414/getting-null-byte-injection-attacks-to-work-with-php-5-2-17
#
MainRule "str:\0" "msg:Nullbyte - Termination \0" "mz:BODY|URL|ARGS"
"s:$ATTACK:8" id:42000386  ;

#
# sid: 42000390 | date: 2014-09-23 - 20:50
#
# https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
#
MainRule "str:/gatedesc.xml" "msg:UPNP-Scan" "mz:URL" "s:$UWA:8" id:42000390  ;


#
# sid: 42000389 | date: 2014-09-23 - 20:49
#
# http://en.wikipedia.org/wiki/Proxy_auto-config
#
MainRule "str:wpad.dat" "msg:Open Proxy-Autoconfig-Scan" "mz:URL"
"s:$UWA:8" id:42000389  ;


#
# sid: 42000388 | date: 2014-09-23 - 20:49
#
# http://en.wikipedia.org/wiki/Proxy_auto-config
# https://isc.sans.edu/forums/diary/Web+Scan+looking+for+infowhitelistpac/18675
#
MainRule "str:proxy.pac" "msg:Open Proxy-Autoconfig-Scan" "mz:URL"
"s:$UWA:8" id:42000388  ;


#
# sid: 42000387 | date: 2014-09-23 - 20:49
#
# https://isc.sans.edu/forums/diary/Web+Scan+looking+for+infowhitelistpac/18675
#
MainRule "str:/whitelist.pac" "msg:Open Proxy-Autoconfig-Scan"
"mz:URL" "s:$UWA:8" id:42000387  ;