How to test if my server is vulnerable to the ShellShock bug?

bash security cgi

To check for the CVE-2014-6271 vulnerability

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

it should NOT echo back the word vulnerable.

To check for the CVE-2014-7169 vulnerability
(warning: if yours fails it will make or overwrite a file called /tmp/echo that you can delete after, and need to delete before testing again ) 
cd /tmp; env X='() { (a)=>\' bash -c "echo date"; cat echo

it should say the word date then complain with a message like cat: echo: No such file or directory. If instead it tells you what the current datetime is then your system is vulnerable.

To check for CVE-2014-7186 
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"

it should NOT echo back the text CVE-2014-7186 vulnerable, redir_stack.

To check for CVE-2014-7187 
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"

it should NOT echo back the text CVE-2014-7187 vulnerable, word_lineno.

To check for CVE-2014-6277. I'm not 100% sure on this one as it seems to rely on a partially patched system that I no longer have access to. 
env HTTP_COOKIE="() { x() { _; }; x() { _; } <<`perl -e '{print "A"x1000}'`; }" bash -c "echo testing CVE-2014-6277"

A pass result on this one is it ONLY echoing back the text testing CVE-2014-6277. If it runs perl or if it complains that perl is not installed that is definitely a fail. I'm not sure on any other failure characteristics as I no longer have any unpatched systems.

To check for CVE-2014-6278. Again, I'm not 100% sure on if this test as I no longer have any unpatched systems. 
env HTTP_COOKIE='() { _; } >_[$($())] { echo hi mom; id; }' bash -c "echo testing CVE-2014-6278"

A pass for this test is that it should ONLY echo back the text testing CVE-2014-6278. If yours echoes back hi mom anywhere that is definitely a fail.


Export a especially crafted environment variable that will be evaluated automatically by vulnerable versions of Bash:

$ export testbug='() { :;}; echo VULNERABLE'

Now execute a simple echo to see if Bash will evaluate the code in $testbug even though you've not used that variable yourself:

$ bash -c "echo Hello"
VULNERABLE
Hello

If it shows the "VULNERABLE" string, the answer is obvious. Otherwise, you don't need to worry and your patched version of Bash is OK.

Please note multiple patches have been released by the major Linux distributions and sometimes they don't fix the vulnerability completely. Keep checking the security advisories and the CVE entry for this bug.


ShellShock is practically a conjunction of more than one vulnerabilities of bash, and at this moment there is also malaware that exploits this vulnerability, so ShellShock can be an issue that is still open, there is a thread with updates from RedHat about this issues.

Redhat recommeds the following:

Run command:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

If output is:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test

you don't have any fix.

If output is:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
bash: error importing function definition for `BASH_FUNC_x()'
test

you have CVE-2014-6271 fix

If your output is: 

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test

you are not vulnerable.

The other part of ShellShock check is the CVE-2014-7169 vulnerability check ensures that the system is protected from the file creation issue. To test if your version of Bash is vulnerable to CVE-2014-7169, run the following command:

$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Fri Sep 26 11:49:58 GMT 2014

If your system is vulnerable, the time and date will display and /tmp/echo will be created.

If your system is not vulnerable, you will see output similar to:

$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory

Related

How do I list the files associated with a Python package installed using pip or easy_install?
How to reload default Mac OSX routing table without rebooting
Transfer 15TB of tiny files
pg_dump and pg_restore: input file does not appear to be a valid archive
How to check the physical status of an ethernet port in Linux?
What does "debconf: delaying package configuration, since apt-utils is not installed" mean?
OpenVPN vs. IPsec - Pros and cons, what to use?
Does each subdomain need it's own SSL certificate?
Human readable format for http headers with tcpdump
Where is my mysql log on OS X?
How to keep rsync from chown'ing transferred files?
SSHFS mount that survives disconnect