shellshock

Pedroski · 09-25-2014, 05:36 PM

How do I check if my computer has this bash shellshock bug?? I use Ubuntu and Fedora normally.

albinard · 09-25-2014, 05:45 PM

There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the system is vulnerable, the output will be:
vulnerable
this is a test

If you're safe, it will throw an error;
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a testenv

Pedroski · 09-25-2014, 05:59 PM

And if I get this???

pedro@pedro-bedro2:~$ $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
$: command not found
pedro@pedro-bedro2:~$

Pedroski · 09-25-2014, 06:01 PM

Sorry, picked up your $ sign. Now I have this:

pedro@pedro-bedro2:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
pedro@pedro-bedro2:~$

rokytnji · 09-25-2014, 06:04 PM

Code:

$ env X="() { :;} ; echo vulnerable" bash -c "echo safe"
bash: warning: X: ignoring function definition attempt
bash: error importing function definition for `X'
safe

Code:

$  env X="() { :;} ; echo vulnerable" /bin/sh -c "echo safe"
safe

Mine is safe

Edit; Saw your post after I posted Pedroski. You are safe also.

Code:

$ dpkg -s bash | grep Version
Version: 4.3-7

Pedroski · 09-25-2014, 06:12 PM

Thanks, got this

pedro@pedro-bedro2:~$ env X="() { :;} ; echo vulnerable" /bin/sh -c "echo safe"
safe

but it stays 'live', have to ctrl c to get back to the prompt.

pedro@pedro-bedro2:~$ dpkg -s bash | grep Version
Version: 4.3-7ubuntu1.1
pedro@pedro-bedro2:~$ Version: 4.3-7

rokytnji · 09-25-2014, 08:23 PM

My AntiX gear is ahead of the curve also.

Code:

harry@biker:~
$ env X="() { :;} ; echo vulnerable" /bin/sh -c "echo safe"
safe
harry@biker:~
$ dpkg -s bash | grep Version
Version: 4.3-8

But I run Debian Testing repos mostly. Instead of Wheezy (except for one old laptop).

Pedroski · 09-26-2014, 02:31 AM

Well, that's the difference between a layman like me, and someone who knows what they are doing!

Thanks for the tips!