Sign in to follow this  
Followers 0
iamtheky

regex for shellshock - anything bulletproof yet

3 posts in this topic

found this perl command to loop through environment variables looking for those that contain code after function declaration.   anything better? 

 

$ perl -e 'for (keys %ENV) { delete $ENV{$_} if $ENV{$_} =~ /};.+/ }'

 

 

 

at the bottom of this article

http://perltricks.com/article/115/2014/9/26/Shellshock-and-Perl


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites



So this isn't a fix, but you can search for evildoers in your apache access.log with the regex

"(?s*_*s*)?s*{|cgi"

It will return a lot of false positives for the cgi, but that's better than false negatives. Just pipe tail -f into grep -E and watch for anything untoward happening.

 

from here:  http://www.reddit.com/r/netsec/comments/2hehgk/cve20147169_bash_fix_incomplete_still_exploitable/

i built a splunk report with it, so far returned a bunch of awk and a few rpm commands that are all false positives.


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0