Testing for the Shellshock (cve-2014-6271) vulnerability

A new and critical vulnerability called “shellshock” has been announced. The vulnerability is in the ‘bash’ shell application and can be remotely exploitable. There is a high chance that an Internet worm will be written to use this hole to attack systems over the Internet. A patch is available for this issue for most operating systems.

The vulnerability can be exploited over ssh, and over HTTP/HTTPS via CGI scripts.

Our team is still researching the vulnerability in order to design a test that is both reliable and non-destructive; however, due to the sensitive nature of executing commands on a live system remotely this may be difficult.

In the meantime, we recommend doing a simple check to see if the server is vulnerable. To test if your version of Bash is vulnerable to this issue, run the following command:

 

 

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output of the above command looks as follows:

 

vulnerable
this is a test

 

you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

More information about this bug is available here:

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

Please feel free to contact us with any question regarding this issue.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk