Testing for the Shellshock (cve-2014-6271) vulnerability

A new and critical vulnerability called “shellshock” has been announced. The vulnerability is in the ‘bash’ shell application and can be remotely exploitable. There is a high chance that an Internet worm will be written to use this hole to attack systems over the Internet. A patch is available for this issue for most operating systems.

The vulnerability can be exploited over ssh, and over HTTP/HTTPS via CGI scripts.

Our team is still researching the vulnerability in order to design a test that is both reliable and non-destructive; however, due to the sensitive nature of executing commands on a live system remotely this may be difficult.

In the meantime, we recommend doing a simple check to see if the server is vulnerable. To test if your version of Bash is vulnerable to this issue, run the following command:



$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output of the above command looks as follows:


this is a test


you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

More information about this bug is available here:



Please feel free to contact us with any question regarding this issue.

Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk