A vulnerable cygwin shell.
Using the shellshock vulnerability to run ls in cygwin.
Homer@bejiitas ~ $ x='() { :;}; `/bin/ls -hula`' bash -c : bash: total 53K drwxrwxr-x+ 1 Homer Homer 0 Sep 26 18:38 . drwxrwxrwt+ 1 Homer Homer 0 Sep 26 2013 .. -rw-rw---- 1 Homer Homer 222 Sep 26 2013 .bash_history -rwxrwxr-x 1 Homer Homer 1.5K Sep 26 2013 .bash_profile -rwxrwxr-x 1 Homer Homer 6.0K Sep 26 2013 .bashrc drwxrwx---+ 1 Homer Homer 0 Sep 26 2013 .cache drwxrwx---+ 1 Homer Homer 0 Sep 26 2013 .config -rwxrwxr-x 1 Homer Homer 1.9K Sep 26 2013 .inputrc drwxrwx---+ 1 Homer Homer 0 Sep 26 2013 .local -rw-rw-r-- 1 Homer Homer 175 Sep 26 2013 .minttyrc -rwxrwxr-x 1 Homer Homer 9.7K Sep 26 2013 .mkshrc -rwxrwxr-x 1 Homer Homer 1.3K Sep 26 2013 .profile drwx------+ 1 Homer None 0 Jun 25 12:56 .ssh drwxrwxr-x+ 1 Homer Homer 0 Jan 2 2014 Documents -rwxr-xr-x 1 Homer None 503 Sep 26 18:38 bash.exe.stackdump -rwxrwxr-x 1 Homer Homer 136 Jan 2 2014 my.c -rwxrwxr-x 1 Homer Homer 136 Jan 2 2014 my.cn-place=~ -rw-rw-r-- 1 Homer Homer 25 Dec 23 2013 out.base drwxrwxr-x+ 1 Homer Homer 0 Oct 17 2013 sysinfo-master drwxrwxr-x+ 1 Homer Homer 0 Sep 11 22:50 sysinfo.kdevelop-1.0: Permission denied Segmentation fault (core dumped) |
This is the function that you should use to see if you are vulnerable.
env check='Not vulnerable' x='() { :;}; check=Vulnerable' bash -c 'echo $check' |
And this is the output that you should get if you are running a patched version of bash.
jason@jason-H55-USB3:~/Documents$ env check='Not vulnerable' x='() { :;}; check=Vulnerable' bash -c 'echo $check' env check='Not vulnerable' x='() { :;}; check=Vulnerable' bash -c 'echo $check' bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' Not vulnerable |
This is the version of bash that I am running.
jason@jason-H55-USB3:~/Documents$ bash --version bash --version GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. |
Version 4.3.11 is the version to upgrade to if you want to beat this security hole. This is really an exaggerated problem, only really a worry if you are running a device or a computer with an outdated operating system. Bash version 3.2.51 would be vulnerable, but upgrading to 4.3.11 will fix this problem.
Type this command on a Debian or Ubuntu/Mint system.
sudo apt-get update ; sudo apt-get upgrade |
This will upgrade your bash copy to the latest version if you are using Debian, Mint or Ubuntu.
Here I am checking my zsh shell as well. This is zsh version 5.0.2.
jason@jason-H55-USB3 ~ % env x='() { :;}; echo vulnerable' zsh -c 'echo hello' hello |
And the sh shell.
$ env x='() { :;}; echo vulnerable' sh -c 'echo hello' hello |
So my system is patched and safe.
Another way to test your systems: http://security.stackexchange.com/questions/68168/is-there-a-short-command-to-test-if-my-server-is-secure-against-the-shellshock-b?lq=1.
Mac OSX shellshock information: http://security.stackexchange.com/questions/68123/are-ordinary-os-x-desktops-at-risk-from-bash-shellshock-bug-cve-2014-6271.
This is another possible exploit though.
env X='() { (a)=>\' sh -c "echo date"; cat echo |
This should still work.
More information here: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html