\[News\] BASH Bourne Shell Bug (GNU/Linux) Shellshock
-
There is a Bash shell bug that is blowing up on the security webs as it could be exploited like heartbeat. It isn’t fully fixed yet either, so it’s worth keeping an eye on if you run GNU/Linux.
Am I vulnerable?
Edit for the time being: You are. No complete public fix has been posted yet, for the new CVE (CVE-2014-769). The instructions I give below are only sufficient to close off part of the vulnerability.
There is an easy check. Open a terminal and paste the following:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'It simply sets the environment variable called x to the value ‘() { :;}; echo vulnerable’. It then invokes bash asking it to echo back the word hello. The value of x that is set is a function definition that should do nothing. However, it is crafted to try to run ‘echo vulnerable’ at parsing of environment at bash start-up, which just prints vulnerable to standard out.
If you are not vulnerable, then the following will be shown:
bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' helloIf you are vulnerable, then you will see:
vulnerable hello -
Thanks Wrapper! Seriously helpful.
-
patched
-
There’s a good new test if your website is vulnerable and further info. Full fix not released yet.
‘ShellShock’ Bash Vulnerability CVE-2014-6271 Test Tool. http://shellshock.brandonpotter.com/
-
Note: these tests for shellshock are with the Bourne Shell still not fully fixed and they use wget or curl, it doesn’t automatically mean a long term problem …
Just checked a network.html page I created / cloned, from code that gives your internal network IP address - It failed a shellshock test
P2Pool looks secure so far.
-
thanks wrapper
