So Are You Vulnerable To Shell-shock?

By jdfulmer | Published October 3, 2014 | Leave a comment

Here’s a quick command line test to see if you’re vulnerable to shell-shock, the bash vulnerability that everyone — I mean everyone — is talking about:

$ env x='() { :;}; echo 1. env' bash -c "echo 2. bash"

If your bash is vulnerable, it will execute the echo command inside the environment, if it’s not vulnerable, then it will only execute the stuff after -c

A vulnerable system prints this:

$ env x='() { :;}; echo 1. env' bash -c "echo 2. bash"
1. env
2. bash

A non-vulnerable system prints this:

$ env x='() { :;}; echo 1. env' bash -c "echo 2. bash"
2. bash

On the vulnerable system, the echo command that is set in the environment is executed by bash when the shell is invoked:

env x='() { :;}; echo 1. env' bash -c "echo 2. bash"

The stuff in red should NOT be executed. That’s a bug; it needs to be fixed.

NOTE: The second command was run on the server that hosts this blog entry. You guys can quit trying, mmmkay?

Home
Siege
- About
- Manual
- FAQ
- README
- History
Sproxy
- About
- Manual
- FAQ
Fido
- About
- Manual
- FAQ
AJPing
- About
- Manual
Pinochle
Dick
- About
- Manual
- FAQ
Wackyd
- Wackyd
- History
- README
- Manual
- FAQ
Perl Modules
Articles

Joe Dog Software