united states of america usa  linkedinfacebookgoogle
  • Home
  • News
  • Shellshock bug testing for vulnerability

Shellshock bug testing for vulnerability

There's a new bug that has been discovered recently, requiring affecting most linux systems running bash. You can read more about it here, but the question most often asked is: how to check if you are vulnerable? Here's a simple way to find out. Login to your Linux box and run the following:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

The output will be, if you are not vulnerable:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

If you are vulnerable:

vulnerable
this is a test

Update (Oct 2): Here's a newer version of the test script. It incorporates tests for all of the other bugs related to shellshock

Download link

Test results are self explanatory:

If not vulnerable (will appear in a healthy-green colour):

Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs

If vulnerable:

Variable function parser active, maybe vulnerable to unknown parser bugs
Vulnerable to CVE-2014-6271 (original shellshock)
Vulnerable to CVE-2014-7169 (taviso bug)
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Vulnerable to CVE-2014-6277 (lcamtuf bug #1)

 

Tel: (786) 646-6461   |   Toll-Free: (877) 454-0758
18350 NW 2nd Ave, Ste 406E | Miami, FL33169