CVE-2014-6271

Hi,
Is it CVE-2014-6271 detection available now?

Thanks!

flymolon

Chris

2014-09-26 07:09:41 UTC

Hi,

Post by flymolon
Is it CVE-2014-6271 detection available now?

yes since yesterday:

http://lists.wald.intevation.org/pipermail/openvas-nvts-commits/2014-September/000693.html

Chris

2014-09-26 07:23:48 UTC

Ah, forgot to mention. There are way more attack possibilities which are collected in:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

Chris

2014-09-27 10:40:42 UTC

Hi,

most infos and different test patterns are now collected here:

https://shellshocker.net/

Rainer Sokoll

2014-09-26 09:44:59 UTC

Post by flymolon
Is it CVE-2014-6271 detection available now?

http://lists.wald.intevation.org/pipermail/openvas-nvts-commits/2014-September/000693.html

Does it really work? If I let it run against a webserver:

openvas-nasl -d -t www.example.com -X -T out /var/lib/openvas/plugins/gb_bash_shellshock_remote_cmd_exec_vuln.nasl

All I see in the webserver’s log is this:

x.x.x.x - - [26/Sep/2014:11:37:30 +0200] "GET / HTTP/1.1" 200 48163 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)“
x.x.x.x - - [26/Sep/2014:11:37:30 +0200] "GET /test-cgi HTTP/1.1" 404 1040 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)“
x.x.x.x - - [26/Sep/2014:11:37:30 +0200] "GET /cgi-bin/test-cgi HTTP/1.1" 404 1040 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)“
x.x.x.x - - [26/Sep/2014:11:37:31 +0200] "GET /cgi-bin/test-cgi HTTP/1.1" 404 1040 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)“
x.x.x.x - - [26/Sep/2014:11:37:31 +0200] "GET /scripts/test-cgi HTTP/1.1" 404 1040 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)“
x.x.x.x - - [26/Sep/2014:11:37:31 +0200] "GET //test-cgi HTTP/1.1" 404 1040 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)“

Still digging through the output of openvas-nasl…

Rainer

Christiaan DeVries

2014-09-26 09:49:05 UTC

Hi all,

After running all synchronisations, am still don't have the shellshock detection, any hints as to what could be wrong with my system?

Regards,

Christiaan de Vries
w: +353 1 526 7736 | m: +353 860 234 384 | e: christiaan.devries @hetg.ie | www.DigitalPlanet.ie | www.hetg.ie
HIBERNIA HOUSE | Cherrywood Business Park | Loughlinstown | Dublin 18 | Ireland
Hibernia Services Ltd. is registered in Ireland, Company Registration No. 170309
© 2014 Digital Planet, part of the HiberniaEvros Technology Group

-----Original Message-----
From: Openvas-discuss [mailto:openvas-discuss-***@wald.intevation.org] On Behalf Of Rainer Sokoll
Sent: 26 September 2014 10:45
To: openvas-discuss
Subject: Re: [Openvas-discuss] CVE-2014-6271

Post by flymolon
Is it CVE-2014-6271 detection available now?

http://lists.wald.intevation.org/pipermail/openvas-nvts-commits/2014-S
eptember/000693.html

Does it really work? If I let it run against a webserver:

openvas-nasl -d -t www.example.com -X -T out /var/lib/openvas/plugins/gb_bash_shellshock_remote_cmd_exec_vuln.nasl

All I see in the webserver's log is this:

x.x.x.x - - [26/Sep/2014:11:37:30 +0200] "GET / HTTP/1.1" 200 48163 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)" x.x.x.x - - [26/Sep/2014:11:37:30 +0200] "GET /test-cgi HTTP/1.1" 404 1040 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)" x.x.x.x - - [26/Sep/2014:11:37:30 +0200] "GET /cgi-bin/test-cgi HTTP/1.1" 404 1040 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)" x.x.x.x - - [26/Sep/2014:11:37:31 +0200] "GET /cgi-bin/test-cgi HTTP/1.1" 404 1040 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)" x.x.x.x - - [26/Sep/2014:11:37:31 +0200] "GET /scripts/test-cgi HTTP/1.1" 404 1040 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)" x.x.x.x - - [26/Sep/2014:11:37:31 +0200] "GET //test-cgi HTTP/1.1" 404 1040 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)"

Still digging through the output of openvas-nasl.

Rainer

Rainer Sokoll

2014-09-26 10:11:26 UTC

Post by Christiaan DeVries
After running all synchronisations, am still don't have the shellshock detection, any hints as to what could be wrong with my system?

Same here. I grabbed it directly from http://lists.wald.intevation.org/pipermail/openvas-nvts-commits/2014-September/000693.html

Rainer

Chris

2014-09-26 10:19:30 UTC

It should be available at Web application abuses and cgi scanning needs to be enabled.

Also check the older heartbleed mailing list thread for some hints when missing a NVT.

Rainer Sokoll

2014-09-26 10:45:26 UTC

Post by flymolon
Is it CVE-2014-6271 detection available now?

http://lists.wald.intevation.org/pipermail/openvas-nvts-commits/2014-September/000693.html

openvas-nasl -d -t www.example.com -X -T out /var/lib/openvas/plugins/gb_bash_shellshock_remote_cmd_exec_vuln.nasl
x.x.x.x - - [26/Sep/2014:11:37:30 +0200] "GET / HTTP/1.1" 200 48163 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)“
x.x.x.x - - [26/Sep/2014:11:37:30 +0200] "GET /test-cgi HTTP/1.1" 404 1040 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)“
x.x.x.x - - [26/Sep/2014:11:37:30 +0200] "GET /cgi-bin/test-cgi HTTP/1.1" 404 1040 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)“
x.x.x.x - - [26/Sep/2014:11:37:31 +0200] "GET /cgi-bin/test-cgi HTTP/1.1" 404 1040 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)“
x.x.x.x - - [26/Sep/2014:11:37:31 +0200] "GET /scripts/test-cgi HTTP/1.1" 404 1040 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)“
x.x.x.x - - [26/Sep/2014:11:37:31 +0200] "GET //test-cgi HTTP/1.1" 404 1040 "-" "Mozilla/4.75 [en] (X11, U; OpenVAS)“

Christiaan DeVries

2014-09-26 12:05:22 UTC

Hi Rainer,

What exactly do you mean by the NVT needs a script to test? Basically, I'm trying to come up with a way I can (mass) scan our networks but as I'm quite new to OpenVAS I feel I'm missing something here.

When I run the check, I get the following output:
[***@openvas openvas]# openvas-nasl -d -t 172.26.128.0/24 -X -T out /var/lib/openvas/plugins/gb_bash_shellshock_remote_cmd_exec_vuln.nasl
set key www/80/keepalive -> yes

Anything else I should be adding to identify vulnerable machines?

Christiaan de Vries
w: +353 1 526 7736 | m: +353 860 234 384 | e: christiaan.devries @hetg.ie | www.DigitalPlanet.ie | www.hetg.ie
HIBERNIA HOUSE | Cherrywood Business Park | Loughlinstown | Dublin 18 | Ireland
Hibernia Services Ltd. is registered in Ireland, Company Registration No. 170309
© 2014 Digital Planet, part of the HiberniaEvros Technology Group

-----Original Message-----
From: Openvas-discuss [mailto:openvas-discuss-***@wald.intevation.org] On Behalf Of Rainer Sokoll
Sent: 26 September 2014 11:45
To: openvas-discuss
Subject: Re: [Openvas-discuss] CVE-2014-6271

Post by flymolon
Is it CVE-2014-6271 detection available now?

http://lists.wald.intevation.org/pipermail/openvas-nvts-commits/2014-
September/000693.html

openvas-nasl -d -t www.example.com -X -T out
/var/lib/openvas/plugins/gb_bash_shellshock_remote_cmd_exec_vuln.nasl
x.x.x.x - - [26/Sep/2014:11:37:30 +0200] "GET / HTTP/1.1" 200 48163
"-" "Mozilla/4.75 [en] (X11, U; OpenVAS)" x.x.x.x - -
[26/Sep/2014:11:37:30 +0200] "GET /test-cgi HTTP/1.1" 404 1040 "-"
"Mozilla/4.75 [en] (X11, U; OpenVAS)" x.x.x.x - -
[26/Sep/2014:11:37:30 +0200] "GET /cgi-bin/test-cgi HTTP/1.1" 404 1040
"-" "Mozilla/4.75 [en] (X11, U; OpenVAS)" x.x.x.x - -
[26/Sep/2014:11:37:31 +0200] "GET /cgi-bin/test-cgi HTTP/1.1" 404 1040
"-" "Mozilla/4.75 [en] (X11, U; OpenVAS)" x.x.x.x - -
[26/Sep/2014:11:37:31 +0200] "GET /scripts/test-cgi HTTP/1.1" 404 1040
"-" "Mozilla/4.75 [en] (X11, U; OpenVAS)" x.x.x.x - -
[26/Sep/2014:11:37:31 +0200] "GET //test-cgi HTTP/1.1" 404 1040 "-"
"Mozilla/4.75 [en] (X11, U; OpenVAS)"

Chris

2014-09-26 12:16:10 UTC

Hi,

as far as i can see the default:

/test-cgi

needs to be in your cgi folder for a successful running test with this NVT.

Post by Christiaan DeVries
Hi Rainer,
What exactly do you mean by the NVT needs a script to test? Basically,
I'm trying to come up with a way I can (mass) scan our networks but as
I'm quite new to OpenVAS I feel I'm missing something here.
/var/lib/openvas/plugins/gb_bash_shellshock_remote_cmd_exec_vuln.nasl
set key www/80/keepalive -> yes
Anything else I should be adding to identify vulnerable machines?
Christiaan de Vries
w: +353 1 526 7736 | m: +353 860 234 384 | e: christiaan.devries
@hetg.ie | www.DigitalPlanet.ie | www.hetg.ie
HIBERNIA HOUSE | Cherrywood Business Park | Loughlinstown | Dublin 18 | Ireland
Hibernia Services Ltd. is registered in Ireland, Company Registration No. 170309
© 2014 Digital Planet, part of the HiberniaEvros Technology Group
-----Original Message-----
From: Openvas-discuss
Rainer Sokoll
Sent: 26 September 2014 11:45
To: openvas-discuss
Subject: Re: [Openvas-discuss] CVE-2014-6271

Post by flymolon
Is it CVE-2014-6271 detection available now?

http://lists.wald.intevation.org/pipermail/openvas-nvts-commits/2014-

Post by Chris
September/000693.html

1040

Post by Rainer Sokoll
"-" "Mozilla/4.75 [en] (X11, U; OpenVAS)" x.x.x.x - -
[26/Sep/2014:11:37:31 +0200] "GET /cgi-bin/test-cgi HTTP/1.1" 404

1040

Post by Rainer Sokoll
"-" "Mozilla/4.75 [en] (X11, U; OpenVAS)" x.x.x.x - -
[26/Sep/2014:11:37:31 +0200] "GET /scripts/test-cgi HTTP/1.1" 404

1040

Post by Rainer Sokoll
"-" "Mozilla/4.75 [en] (X11, U; OpenVAS)" x.x.x.x - -
[26/Sep/2014:11:37:31 +0200] "GET //test-cgi HTTP/1.1" 404 1040 "-"
"Mozilla/4.75 [en] (X11, U; OpenVAS)"

Stupid me.
Ouf course, the nvt needs a script to tst. And since it cannot know
which scripts are available on a webserver, it simply tries / plus 5
common cgi scripts. If these scripts do not exist (or they ain't a cgi
script) - then there is nothing to test.
Apologies to the author: The script works as expected.
Rainer
_______________________________________________
Openvas-discuss mailing list
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
_______________________________________________
Openvas-discuss mailing list
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Chris

2014-09-27 10:10:40 UTC

Hi,

just as a follow-up:

Seems SIP proxies are also vulnerable:

https://github.com/zaf/sipshock

Chris

2014-09-27 15:29:47 UTC

Same goes for qmail:

http://www.gossamer-threads.com/lists/qmail/users/138568

Chris

2014-09-30 18:11:16 UTC

Hi,

and as another follow-up:

A nice list of vulnerable software/systems is available here:

https://github.com/mubix/shellshocker-pocs

Michael Meyer

2014-09-26 12:18:56 UTC

Post by Christiaan DeVries
What exactly do you mean by the NVT needs a script to test?
Basically, I'm trying to come up with a way I can (mass) scan our
networks but as I'm quite new to OpenVAS I feel I'm missing
something here.
set key www/80/keepalive -> yes
Anything else I should be adding to identify vulnerable machines?

Store http://pastebin.com/TYu2ZLWY under "/path/to/webserver/cgi-bin/test-cgi".
Run a scan and it should be detected. This is only needed at the
moment if that file doesn't exist. We will update the NVT as soon as
possible.

Micha

--
Michael Meyer OpenPGP Key: 0xAF069E9152A6EFA6
http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG
Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner

Rainer Sokoll

2014-09-26 12:20:50 UTC

Am 26.09.2014 um 14:05 schrieb Christiaan DeVries <***@hetg.ie>:

I’m new as well, so take all cum grano salis ;-)

Post by Christiaan DeVries
What exactly do you mean by the NVT needs a script to test? Basically, I'm trying to come up with a way I can (mass) scan our networks but as I'm quite new to OpenVAS I feel I'm missing something here.
set key www/80/keepalive -> yes

gb_bash_shellshock_remote_cmd_exec_vuln.nasl looks for

/test-cgi
/cgi-bin/test-cgi
/scripts/test-cgi

So you would need to have at least one of these scripts on your webserver to see what happens. (you may write it on your own)
If you are vulnerable, your scanner should return the victim’s date, see lines 108 ff. of gb_bash_shellshock_remote_cmd_exec_vuln.nasl)

Rainer

Phillip Rice

2014-09-26 12:28:56 UTC

Hi

Is there any way we can run a test like the example

Post by Rainer Sokoll
/var/lib/openvas/plugins/gb_bash_shellshock_remote_cmd_exec_vuln.nasl
set key www/80/keepalive -> yes

But have it use credentials and actually run a bash shell command like

env x='() { (a)=>\' bash -c "echo ls /tmp ; cat echo"

and check if the file echo is created with the contents of /tmp

This would validate the latest patch from RedHat

CVE-2014-6271, CVE-2014-7169

https://access.redhat.com/articles/1200223

Thanks

Phillip Rice

This email may contain confidential information that is intended only for the listed recipient(s) of this email. Any unauthorized review, use, disclosure or distribution is prohibited. If you believe you have received this email in error, please immediately delete this email and any attachments, and inform me via reply e-mail.

-----Original Message-----
From: Openvas-discuss [mailto:openvas-discuss-***@wald.intevation.org] On Behalf Of Rainer Sokoll
Sent: 26 September 2014 13:21
To: openvas-***@wald.intevation.org
Subject: Re: [Openvas-discuss] CVE-2014-6271

Am 26.09.2014 um 14:05 schrieb Christiaan DeVries <***@hetg.ie>:

I'm new as well, so take all cum grano salis ;-)

Post by Rainer Sokoll
What exactly do you mean by the NVT needs a script to test? Basically, I'm trying to come up with a way I can (mass) scan our networks but as I'm quite new to OpenVAS I feel I'm missing something here.
/var/lib/openvas/plugins/gb_bash_shellshock_remote_cmd_exec_vuln.nasl
set key www/80/keepalive -> yes

gb_bash_shellshock_remote_cmd_exec_vuln.nasl looks for

/test-cgi
/cgi-bin/test-cgi
/scripts/test-cgi

So you would need to have at least one of these scripts on your webserver to see what happens. (you may write it on your own) If you are vulnerable, your scanner should return the victim's date, see lines 108 ff. of gb_bash_shellshock_remote_cmd_exec_vuln.nasl)

Rainer

Michael Meyer

2014-09-26 13:17:46 UTC