#bashcheck

Test script for Shellshock and related vulnerabilities

##fork info This fork prepends all output with 'HOSTNAME' to allow for this script to be run against many servers at once, with 'HOSTNAME' being substituted with that server's name. The substitution does not take place here, but takes place in whatever script is running bashcheck

##background

The Bash vulnerability that is now known as Shellshock had an incomplete fix at first. There are currently 6 public vulnerabilities.

##interpreting results

There's been some confusion how to interpret the results of this script and some people got scared by warnings on systems that didn't have any exploitable bugs.

The most important fix you need is one of the prefix/suffix-patches. Upstream patch number for this is bash042-050 and bash043-027 (patches for older versions also available). This patch was originally created by RedHat developer Florian Weimer and a modified version was applied by Bash developer Chet Ramey.

Once you have this prefix patch all other vulnerabilities are not exploitable. They are still bugs that should be fixed, but there is nothing to worry about.

##usage

Just run script: ./bashcheck

####CVE-2014-6271

The original vulnerability.

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

####CVE-2014-7169

Further parser error, found by Tavis Ormandy (taviso).

• https://twitter.com/taviso/status/514887394294652929
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

####CVE-2014-7186

Out of bound memory read error in redir_stack.

• http://seclists.org/oss-sec/2014/q3/712
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186

####CVE-2014-7187

Off-by-one error in nested loops. (check only works when Bash is built with -fsanitize=address)

• http://seclists.org/oss-sec/2014/q3/712
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187

####CVE-2014-6277

Uninitialized Memory use in make_redirect(), found by Michal Zalewski (lcamtuf).

• http://lcamtuf.blogspot.de/2014/10/bash-bug-how-we-finally-cracked.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277

####CVE-2014-6278

Another parser bug, analysis still incomplete, also found by Michal Zalewski (lcamtuf).

• http://lcamtuf.blogspot.de/2014/10/bash-bug-how-we-finally-cracked.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278

##Patch recommendation

Latest upstream patches (4.3 since patchlevel 030, 4.2 since patchlevel 051) include all fixes.

They also add prefixing to variable functions (a variant of Florian Weimer's patch). This protects from further function parser bugs and makes them likely not exploitable.

My current recommendation: Use latest upstream patches.