How to REALLY test for Bash Shellshock (CVE-2014-6271)

Thursday, September 25th, 2014

Like always in a crisis, many things go wrong. Everyobody starts chattering, and start deteriorating the signal-to-noise level. I’ll keep this brief.

There are a bunch of sites out there that are telling you how to test for the Bash Shellshock vulnerability. Many of the tests are WRONG:

# WROOOOOOOOOOOOOOOOONG
$ env x=’() { ;;}; echo vulnerable’ sh -c “echo this is a test”
syntax error near unexpected token `('

Spot the first problem! First off all, this uses the wrong kind of quotes. That syntax error is NOT an indication that your system isn’t vulnerable. It’s an indication that the blog where you copied the instruction from doesn’t understand what ASCII quotes are.

Now, spot the second problem! Which shell is this calling?? Is it bash? No, it’s `sh`. So if `sh` isn’t linked to bash, you get this:

# WROOOOOOOOOOOOOOOOOOOOOOOOOOOOOOONG
$ env x='() { ;;}; echo vulnerable' sh -c “echo this is a test”
sh: x: line 0: syntax error near unexpected token `;;'
sh: x: line 0: `x () { ;;}; echo vulnerable'
sh: error importing function definition for `x'
this: “echo: command not found

“Oh, great, we’re not vulnerable”, you think. But it’s not executing bash at all, it’s executing some other shell. Sloppy work.

Here’s a way to actually test your system. BUT don’t take my word for it, perhaps it is not right either:

# Perhaps correct:
$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello