Problem:
How do I quickly test if my computer is vulnerable to the shellshock Bash bug?
Solution:
One way to test the shellshock bug is to open a Terminal (in OS X, or any shell prompt in Linux, Cygwin, etc.), and try the following one-lined command:
x='() { :;}; echo VULNERABLE' bash -c :
If vulnerable, VULNERABLE should appear as part of the response. Otherwise if things are alright, you should get a response similar to the following:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
(Note that in some versions of fixed/patched bash shells, the above error won't show up but "VULNERABLE" will also not be printed to the terminal.)
Notes:
If you're unsure of any steps of the above instructions, see if you can find a friend who may be familiar with how to use bash shell and Terminal to try the above for you.
For more detail, check out the references below.
If your system happens to be vulnerable, and you're using Linux and don't know how to update your bash shell, try this post for instructions: http://linux.about.com/od/howtos/fl/How-To-Fix-The-BASH-Shellshock-Bug-On-Your-Linux-System.htm
NOTE: I won't be able to answer any questions about shellshock as I am not enough of an expert on this bug to comfortably respond. Sorry about that! I hope that this post still comes in handy to people out there.
References:
- http://security.stackexchange.com/questions/68168/is-there-a-short-command-to-test-if-my-server-is-secure-against-the-shellshock-b (contains a good, detailed technical explanation of the above command)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
- http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html (a very detailed explanation, for those curious)
- http://linux.about.com/od/howtos/fl/How-To-Fix-The-BASH-Shellshock-Bug-On-Your-Linux-System.htm (how to update bash shell on various distros of Linux)
No comments:
Post a Comment