Jump to content
gogusan

BASH Shellshock - Test si FIX

Recommended Posts

Posted (edited)

Thread annouce: https://rstforums.com/forum/90178-hackerii-au-inceput-sa-exploateze-vulnerabilitatea-shellshock-una-dintre-cele-mai.rst

Cum apare in loguri atacul:

54.251.83.67 - - [28/Sep/2014:09:48:17 +0300] "GET / HTTP/1.0" 200 934 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"

Cum facem testul?

[root@zeus ~]# [B]export testbug='() { :;}; echo VULNERABIL'[/B]
[root@zeus ~]# [B]bash -c "echo TEST"[/B]
[COLOR="#B22222"]VULNERABIL[/COLOR]
TEST
[root@zeus ~]#

Fixul:

1. prin update la sistem

(la yum update bash : bash x86_64 4.1.2-15.el6_5.2 updates 905 k)

sau

2. prin scriptul de la shellshocker.net:

curl https://shellshocker.net/fixbash | sh

test dupa fix:

[root@zeus ~]# export testbug='() { :;}; echo VULNERABIL'
[root@zeus ~]# bash -c "echo TEST"
TEST
[root@zeus ~]#

FAIL2BAN Detect and BAN:

facem fiserul de filtru

[root@zeus]# nano /etc/fail2ban/filter.d/shellshock.conf


#54.251.83.67 - - [28/Sep/2014:09:48:17 +0300] "GET / HTTP/1.0" 200 934 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"

[Definition]
failregex = ^<HOST> - - (?:\[[^]]*\] )+\"GET.*HTTP/1.1\".*(};|}\s;).*
ignoreregex =

Adaugam filtrul in jail.conf

[root@zeus]# nano /etc/fail2ban/jail.conf

[shellshock]
enabled = true
filter = shellshock
action = iptables-multiport[name=shellshock]
logpath = [COLOR="#FF0000"]calea_voastra_catre_access.log[/COLOR]
bantime = 3600
findtime = 60
maxretry = 1

[root@zeus]# service fail2ban reload

si daca executam iptables -L vom avea regula de fail2ban afisata:

[root@zeus]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-shellshock tcp -- anywhere anywhere multiport dports ssh

Edited by gogusan

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...