You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@oodt.apache.org by Bruce Barkstrom <br...@gmail.com> on 2014/09/27 15:55:17 UTC

Bash Security Issue Detection

I've been told that if you do

env X='() { (a)=>\' bash -c "echo date"; cat echo ; rm -f echo

And if the output shows the date, your Linux system or systems
have the vulnerability (CVE-2014-7169).

Security can sure add things to do.

Bruce b.

Re: Bash Security Issue Detection

Posted by Bruce Barkstrom <br...@gmail.com>.

Thanks very much for the clarification.

Bruce B.

On Sat, Sep 27, 2014 at 11:42 AM, <ke...@apache.org> wrote:

>
> > env X='() { (a)=>\' bash -c "echo date"; cat echo ; rm -f echo
>
> This gives me a positive on bash-3.2.51 on Mac OS X "Mavericks" 10.9.5 but
> also a false positive on a patched bash-4.2.37 on Debian "squeeze" 7.6
> (i.e., I get the date on both).
>
> However, this test (originally from [1]) is a bit more reliable:
>
>         env x='() { :;}; echo vulnerable' bash -c 'echo hello'
>
> On the same bash from Mac, I get:
>
> bash-3.2$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
> vulnerable
> hello
> bash-3.2$
>
> Whereas on the patched bash on Debian, I get:
>
> bash-4.2$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
> bash: warning: x: ignoring function definition attempt
> bash: error importing function definition for `x'
> hello
> bash-4.2$
>
> Enjoy
> --k
>
> [1]
> http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an/146851#146851

Re: Bash Security Issue Detection

Posted by ke...@apache.org.

> env X='() { (a)=>\' bash -c "echo date"; cat echo ; rm -f echo

This gives me a positive on bash-3.2.51 on Mac OS X "Mavericks" 10.9.5 but also a false positive on a patched bash-4.2.37 on Debian "squeeze" 7.6 (i.e., I get the date on both).

However, this test (originally from [1]) is a bit more reliable:

	env x='() { :;}; echo vulnerable' bash -c 'echo hello'

On the same bash from Mac, I get:

bash-3.2$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello
bash-3.2$ 

Whereas on the patched bash on Debian, I get:

bash-4.2$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
bash-4.2$ 

Enjoy
--k

[1] http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an/146851#146851