Home / server / Questions / 631257
Accepted
Giovanni Tirloni
Asked: 2014-09-26 06:25:21 +0800 CST

How to test if my server is vulnerable to the ShellShock bug?

  • 772

How can I ensure my Bash installation is not vulnerable to the ShellShock bug anymore after the updates?

security

6 Answers

  1. Best Answer

    To check for the CVE-2014-6271 vulnerability

    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

    it should NOT echo back the word vulnerable.

    To check for the CVE-2014-7169 vulnerability
    (warning: if yours fails it will make or overwrite a file called /tmp/echo that you can delete after, and need to delete before testing again )

    cd /tmp; env X='() { (a)=>\' bash -c "echo date"; cat echo

    it should say the word date then complain with a message like cat: echo: No such file or directory. If instead it tells you what the current datetime is then your system is vulnerable.

    To check for CVE-2014-7186

    bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"

    it should NOT echo back the text CVE-2014-7186 vulnerable, redir_stack.

    To check for CVE-2014-7187

    (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"

    it should NOT echo back the text CVE-2014-7187 vulnerable, word_lineno.

    To check for CVE-2014-6277. I'm not 100% sure on this one as it seems to rely on a partially patched system that I no longer have access to.

    env HTTP_COOKIE="() { x() { _; }; x() { _; } <<`perl -e '{print "A"x1000}'`; }" bash -c "echo testing CVE-2014-6277"

    A pass result on this one is it ONLY echoing back the text testing CVE-2014-6277. If it runs perl or if it complains that perl is not installed that is definitely a fail. I'm not sure on any other failure characteristics as I no longer have any unpatched systems.

    To check for CVE-2014-6278. Again, I'm not 100% sure on if this test as I no longer have any unpatched systems.

    env HTTP_COOKIE='() { _; } >_[$($())] { echo hi mom; id; }' bash -c "echo testing CVE-2014-6278"

    A pass for this test is that it should ONLY echo back the text testing CVE-2014-6278. If yours echoes back hi mom anywhere that is definitely a fail.

    • 83

  2. Export a especially crafted environment variable that will be evaluated automatically by vulnerable versions of Bash:

    $ export testbug='() { :;}; echo VULNERABLE'

    Now execute a simple echo to see if Bash will evaluate the code in $testbug even though you've not used that variable yourself:

    $ bash -c "echo Hello"
VULNERABLE
Hello

    If it shows the "VULNERABLE" string, the answer is obvious. Otherwise, you don't need to worry and your patched version of Bash is OK.

    Please note multiple patches have been released by the major Linux distributions and sometimes they don't fix the vulnerability completely. Keep checking the security advisories and the CVE entry for this bug.

    • 32

  3. I wrote a CLI utility called ShellShocker to test your webserver for vulnerabilities on CGI scripts. To test your site, you'd run:

    python shellshocker.py <your-server-address>/<cgi-script-path>

    ie

    python shellshocker.py http://example.com/cgi-bin/possibly-vulnerable-script.cgi

    EDIT: this utility's been taken down, sorry :'(

    • 2

  4. ShellShock is practically a conjunction of more than one vulnerabilities of bash, and at this moment there is also malaware that exploits this vulnerability, so ShellShock can be an issue that is still open, there is a thread with updates from RedHat about this issues.

    Redhat recommeds the following:

    Run command:

    $ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

    If output is:

    $ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test

    you don't have any fix.

    If output is:

    $ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
bash: error importing function definition for `BASH_FUNC_x()'
test

    you have CVE-2014-6271 fix

    If your output is: 

    $ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test

    you are not vulnerable.

    The other part of ShellShock check is the CVE-2014-7169 vulnerability check ensures that the system is protected from the file creation issue. To test if your version of Bash is vulnerable to CVE-2014-7169, run the following command:

    $ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Fri Sep 26 11:49:58 GMT 2014

    If your system is vulnerable, the time and date will display and /tmp/echo will be created.

    If your system is not vulnerable, you will see output similar to:

    $ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory
    • 2

  5. You can submit your CGI URL to this online test:

    http://shellshock.iecra.org

    • 1

  6. type env x='() { :;}; echo vulnerable' bash -c "echo this is a test" and if this returns vulnerable and this is a test it means that your OSX/Linux machine is affected. Remedy is to update to the latest version of bash.

    • -1