The Shellshock vulnerability has been making the rounds lately (CVE-2014-6271, CVE-2014-7169). It takes advantage of a flaw in the commonly used Unix shell bash and enables the attackers to execute arbitrary commands through an incorrectly parsed parameter. Based on known patterns, a common attack trigger is a string "() {" followed by a bash command passed as HTTP parameter to expose any CGI scripts that use bash.

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

There are several ways to prevent this pattern and with NetScaler Application Firewall signatures, any request with this pattern can be blocked.

Another approach is to use Responder feature where the policy checks for the string "() {" in header, query, and request body. If the string match is positive, then the policy drops the request and logs the suspicious activity:

add audit messageaction ShellShock_Log CRITICAL "\"The request was sent from \" +CLIENT.IP.SRC + \" Bash Code Injection Vulnerability\"" -bypassSafetyCheck YES

add responder policy ShellShock_policy "HTTP.REQ.FULL_HEADER.REGEX_MATCH(re/\(\)\s*{/) || HTTP.Req.BODY(1000).REGEX_MATCH(re/\(\)\s*{/) || HTTP.REQ.URL.QUERY.REGEX_MATCH(re/\(\)(\s*|\++){/) || HTTP.REQ.BODY(1000).REGEX_MATCH(re#%28%29[+]*%7B#)" DROP -logAction ShellShock_Log

bind responder global ShellShock_policy 10 END -type REQ_DEFAULT

Note: Shellshock is a fast evolving vulnerability with new changes frequently coming out to bash. The preceding rules will be updated as and when new patterns are used to attack bash.

NetScaler defends against shellshock attack.

CTX200217 - Citrix Security Advisory for GNU Bash Shellshock Vulnerabilities