-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
http-shellshock: Fix false positive by matching at start of line #2089
Conversation
4f82ac2
to
ae3847a
Compare
I am guessing that this might not be a completely safe assumption. If bash is not the process invoked directly by the web server but it is somewhere deeper in the process tree that produces only a portion of the output then it is not assured that the final response will have the random mark at the beginning of a line. Perhaps a more robust approach to differentiate between a vulnerable shell invocation and a request reflection would be to verify that the mark is not preceded by "echo", accounting for a few possible space encodings. Something along these lines: local function find_mark (str, mark)
local spaces = {" ", " ", " ", "+", "%20"}
local pos = 1
while true do
pos = str:find(mark, pos, true)
if not pos then break end
local found = true
for _, space in ipairs(spaces) do
local cmd = "echo" .. space
local cmdpos = pos - #cmd
if cmdpos > 0 and str:find(cmd, cmdpos, true) == cmdpos then
-- just a reflected request
found = false
break
end
end
if found then return true end
pos = pos + #mark
end
return false
end This gives you the following:
|
You misunderstand. We know the mark will be at the beginning of a line not because of an assumption that the bash payload is the first thing to execute, but because the bash payload begins with an empty |
I understand fine. There is just no assurance that the newlines will be preserved under these circumstances. |
ae3847a
to
1bd3cde
Compare
If you’re worried about an endpoint that executes a bash script in the middle and reads its output and writes something else, there’s no assurance that anything will be preserved. In any event, what do you think about this alternate solution of inserting extra quotes into the payload that are removed by bash?
|
This would certainly accomplish the same objective, The only downside is that I was contemplating to remove the currently unnecessary quotes from the payload to reduce the chance of interfering with how the downstream process command line gets composed (possibly with quotes). How about this instead?
|
Running the http-shellshock script on a Zulip installation results in a false positive because Zulip (intentionally and safely) reflects the HTTP User-Agent header as the data-platform attribute on a <div> so that it can be matched with CSS rules. https://github.com/zulip/zulip/blob/3.0/templates/zerver/portico.html#L11 Change the payload to write the random string with multiple echo statements, so that the random string won’t match a reflected payload that was not actually executed. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
1bd3cde
to
6242abe
Compare
Okay. Updated as such. |
The fix has been committed as r37969, Thank you for reporting the issue and coming up with a solution! |
* Implement Ncat proxy creds via environment variable. Fixes nmap#2060, closes nmap#2073 * Fix --resume from IPv6 scans * Use correct default buffer position. Closes nmap#2084 * Clarify upper boundary for variable-length numerical fields * Make maximize_fdlimit return rlim_t on appropriate platforms. Closes nmap#2085. Fixes nmap#2079 * Credential object is creds.Account, not brute.Account. See nmap#2086 * Clarify location of the Error object * Use correct default buffer position. Closes nmap#2086 * Minor optimization of url.parse_query() * Output of matched fingerprints in http-default-accounts. Fixes nmap#2077 * Document that --open implies --defeat-rst-ratelimit since 7.40 * SNMP scripts are enabled on non-standard ports. See nmap#1473 * Increases SQL Server version resolution * Eliminate reflection false positives in http-shellshock. Closes nmap#2089 * Unify AFP pathname serialization * Correct AFP name extraction from responses. Closes nmap#2091 FPGetFileDirParms and FPEnumerateExt2 could crash due to unpacking from out-of-bounds positions. This latent issue got exposed by converting from bin.unpack to more stringent string.unpack * Clarified parsing of the volume list in AFP FPGetSrvrParms * Add cross references between the 2 whois scripts * Streamline Boolean expressions * Centralize AFP timestamp conversion to string * Fix a word-wrapping issue * Prevent SSH2 KEX confusion. Fixes nmap#2105 * Add ssh2.fetch_host_key() support for group 16 * Handle case of corrupted TCP options with length 0. Fixes nmap#2104 * Add iDRAC9 fingerprint to http-default-accounts. Closes nmap#2096 * fix license url: http -> https * Implementation of TLS SNI override in Ncat Closes nmap#2087, closes nmap#1928, fixes nmap#1927, fixes nmap#1974 * Fix off-by-one issue in last change. Fixes nmap#2107 * Be more strict with TCP options parsing, avoid reading off the end of TCP options. See nmap#2107 * Remove nmap-update This feature was never publicly released, and has not been distributed in our binary builds for a couple versions now. It needed to be removed in order to reduce the number of places Nmap looks for data files. See nmap#2051 * If fetchfile didn't find the XSL, use a relative path on all platforms. * Do not search NMAPDATADIR on Windows as it is not defined. See nmap#2051 * Remove an unused variable * Require trailing '/' to match a directory name with --script. See nmap#2051 * Stop using Shellshock in header name. Fixes nmap#1983 * Fix line wrapping * Speed improvement for script afp-ls. Closes nmap#2098 * New option --discovery-ignore-rst. Closes nmap#1616 * Nbase is needed for __attribute__ on Windows * include string_pool in Windows build * Use larger buffer size for socket errors (WSAETIMEDOUT was longer). * Allow multiple UDP payloads per port. Closes nmap#1859 (payloads to be committed later) * New UDP payloads. Closes nmap#1860 * Use ASCII chars for some payload data where it makes sense * Pass error along instead of printing (link error) * OpenSSL 1.1.X renamed libs: libeay32->libcrypto ssleay32->libssl * More OpenSSL DLL name changes * One last libeay32->libcrypto name change * Fix loopback detection on Windows with new Npcap * Add some popular favicon hashes * Update nmap-mac-prefixes * Update nmap-services from IANA * Handle too-short response in s7-info. See nmap#2117 * Remove a todo item that is done (--resolve-all) * Update dated 'class' network terms to CIDR. Closes nmap#2054 * Call superclass's init method from derived class * Use signed value for tcp header offset and option lengths to detect underflow * Correctly check for unsigned subtraction underflow. * Add some missing changelog entries * Tell LGTM to use the correct version of Python (2) * Process new Linux and OpenBSD fingerprints * Only get SSL options if we use them, currently for NO_SSLv2 * Process a few service fingerprint submissions * Add a requested feature * Try to make sure enough data is present before parsing. See nmap#2117 * Replace hyphens in the client SSH banner Hyphen is not allowed in the software version string (RFC 4253, section 4.2) * Update the SSH protocol flow. Closes nmap#1460 Allows the server to start the key exchange before the protocol version exchange (banner exchange) is completed * Silence static analysis warning LGTM points out that since comparison with sizeof(buf) coerces n to unsigned, all negative values become very large values, which are necessarily larger than sizeof(buf), so the test is redundant. We still want the test in our code to be explicit that we are checking for it, so reordering the comparisons should silence the warning. A good optimizing compiler should be able to combine the two conditions anyway. See github/codeql#4249 * Be explicit about truncating division (timeout is in whole milliseconds) * Improve docs on -Pn and host discovery "Host discovery" is the preferred term over "ping scan" because of confusion with ICMP Echo Request, a.k.a. "ping" as used by the "ping" utility. Warn when users use -Pn because it has negative impact on scan times since ultrascan timing parameters fall back to slow initial defaults. * Fix a config issue with LGTM (libverbs not linked in libpcap) * Update IPv6 classifier based on new submissions through 2020-09-14 * Fix a meaningless error message when parsing IPv6 extension headers. * Allow %F date format to mean YYYY-mm-dd like GNU date * Remove duplicate test conditionals already tested in enclosing block * Properly handle pcap reads in iocp engine. Fixes nmap#2126 Still has an odd code smell, but this fixes my test case with Nping. * Add missing prototype * Make IOCP the default Nsock engine on Windows. See nmap#2126 * Update macosx build to OpenSSL 1.1.1h, use jhbuild for all build steps * Default rule base for script mysql-audit. See nmap#2125 * Avoid masked use of date before 1/1/1970 UTC. Fixes nmap#2136, closes nmap#2137 * Fix a CHANGELOG typo * Reintegrate Nmap 7.90 release branch * Bump version and regen docs for 7.90SVN post-release * Only warn about protocol specs in port list with -p. Fixes nmap#2135 * Handle a weird IOCP error for UDP sockets. Fixes nmap#2140 Co-authored-by: nnposter <nnposter@e0a8ed71-7df4-0310-8962-fdc924857419> Co-authored-by: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Running the
http-shellshock
script on a Zulip installation results in a false positive because Zulip (intentionally and safely) reflects the HTTPUser-Agent
header as thedata-platform
attribute on a<div>
so that it can be matched with CSS rules.If an actually vulnerable server were really running our payload
then the extra
echo
would causetherandomstring
to appear at the start of a line. So we can avoid the false positive by only triggering on matches at the start of a line.