Test of problems with CVE-2014-7186 и CVE-2014-7187:
bash -c "true $(printf '</dev/null if [ $? != 0 ]; then echo -e "Vulnerable to CVE-2014-7186" fi bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null if [ $? != 0 ]; then echo -e "Vulnerable to CVE-2014-7187" fi
Test script for shellshocker and related vulnerabilities.(https://github.com/hannob/bashcheck)
The Bash vulnerability that is now known as shellshock had an incomplete fix at first. There are currently 4 public and one supposedly non-public vulnerability.
CVE-2014-6271 The original vulnerability.
ttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
CVE-2014-7169
Further parser error, found by Tavis Ormandy (taviso)
ttps://twitter.com/taviso/status/514887394294652929
ttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
CVE-2014-7186
Out of bound memory read error in redir_stack.
ttp://seclists.org/oss-sec/2014/q3/712
ttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
CVE-2014-7187
Off-by-one error in nested loops. (check only works when Bash is built with -fsanitize=address)
ttp://seclists.org/oss-sec/2014/q3/712
ttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
CVE-2014-6277
Not yet published parser bug by Michal Zalewski (lcamtuf).
ttp://lcamtuf.blogspot.de/2014/09/bash-bug-apply-unofficial-patch-now.html
ttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
Last (2014-10-22):
#!/bin/bash warn() { if [ "$scary" == "1" ]; then echo -e "\033[91mVulnerable to $1\033[39m" else echo -e "\033[93mFound non-exploitable $1\033[39m" fi } good() { echo -e "\033[92mNot vulnerable to $1\033[39m" } tmpdir=`mktemp -d -t tmp.XXXXXXXX` [ -n "$1" ] && bash=$(which $1) || bash=$(which bash) echo -e "\033[95mTesting $bash ..." $bash -c 'echo "Bash version $BASH_VERSION"' echo -e "\033[39m" #r=`a="() { echo x;}" $bash -c a 2>/dev/null` if [ -n "$(env 'a'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then echo -e "\033[91mVariable function parser active, maybe vulnerable to unknown parser bugs\033[39m" scary=1 elif [ -n "$(env 'BASH_FUNC_a%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not exploitable\033[39m" scary=0 elif [ -n "$(env 'BASH_FUNC_a()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not exploitable\033[39m" scary=0 elif [ -n "$(env '__BASH_FUNC()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then echo -e "\033[92mVariable function parser pre/suffixed [__BASH_FUNC<..>(), apple], bugs not exploitable\033[39m" scary=0 else echo -e "\033[92mVariable function parser inactive, bugs not exploitable\033[39m" scary=0 fi r=`env x="() { :; }; echo x" $bash -c "" 2>/dev/null` if [ -n "$r" ]; then warn "CVE-2014-6271 (original shellshock)" else good "CVE-2014-6271 (original shellshock)" fi pushd $tmpdir > /dev/null env x='() { function a a>\' $bash -c echo 2>/dev/null > /dev/null if [ -e echo ]; then warn "CVE-2014-7169 (taviso bug)" else good "CVE-2014-7169 (taviso bug)" fi popd > /dev/null $($bash -c "true $(printf '<$tmpdir/bashcheck.tmp) ret=$? grep AddressSanitizer $tmpdir/bashcheck.tmp > /dev/null if [ $? == 0 ] || [ $ret == 139 ]; then warn "CVE-2014-7186 (redir_stack bug)" else good "CVE-2014-7186 (redir_stack bug)" fi $bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null if [ $? != 0 ]; then warn "CVE-2014-7187 (nested loops off by one)" else echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m" fi $($bash -c "f(){ x(){ _;};x(){ _;}</dev/null) if [ $? != 0 ]; then warn "CVE-2014-6277 (lcamtuf bug #1)" else good "CVE-2014-6277 (lcamtuf bug #1)" fi if [ -n "$(env x='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then warn "CVE-2014-6278 (lcamtuf bug #2)" elif [ -n "$(env BASH_FUNC_x%%='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then warn "CVE-2014-6278 (lcamtuf bug #2)" elif [ -n "$(env 'BASH_FUNC_x()'='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then warn "CVE-2014-6278 (lcamtuf bug #2)" else good "CVE-2014-6278 (lcamtuf bug #2)" fi rm -rf $tmpdir