hannob / bashcheck Goto Github PK

View Code? Open in Web Editor NEW

661.0 87.0 120.0 426 KB

test script for shellshocker and related vulnerabilities

License: Creative Commons Zero v1.0 Universal

Shell 100.00%

bashcheck's Introduction

bashcheck

Test script for Shellshock and related vulnerabilities

background

The Bash vulnerability that is now known as Shellshock had an incomplete fix at first. There are currently 6 public vulnerabilities.

shellshock and heartbleed

I wrote down some general thoughts about recent events and security in free software:

https://blog.hboeck.de/archives/857-How-to-stop-Bleeding-Hearts-and-Shocking-Shells.html

interpreting results

There's been some confusion how to interpret the results of this script and some people got scared by warnings on systems that didn't have any exploitable bugs.

The most important fix you need is one of the prefix/suffix-patches. Upstream patch number for this is bash042-050 and bash043-027 (patches for older versions also available). This patch was originally created by RedHat developer Florian Weimer and a modified version was applied by Bash developer Chet Ramey.

Once you have this prefix patch all other vulnerabilities are not exploitable. They are still bugs that should be fixed, but there is nothing to worry about.

usage

Just run script: ./bashcheck

CVE-2014-6271

The original vulnerability.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

CVE-2014-7169

Further parser error, found by Tavis Ormandy (taviso).

CVE-2014-7186

Out of bound memory read error in redir_stack.

CVE-2014-7187

Off-by-one error in nested loops. (check only works when Bash is built with -fsanitize=address)

CVE-2014-6277

Uninitialized Memory use in make_redirect(), found by Michal Zalewski (lcamtuf).

CVE-2014-6278

Another parser bug, analysis still incomplete, also found by Michal Zalewski (lcamtuf).

Patch recommendation

Latest upstream patches (4.3 since patchlevel 030, 4.2 since patchlevel 051) include all fixes.

They also add prefixing to variable functions (a variant of Florian Weimer's patch). This protects from further function parser bugs and makes them likely not exploitable.

My current recommendation: Use latest upstream patches.

bashcheck's People

Contributors

Stargazers

Watchers

Forkers

kubax qsuscs reedloden englishm willdye profiler1982 ricedu przhu yresk bronx205 clacke d90pwn barech alexracoon tiaro imasaruoki thesp0nge paisa4ever flyawaytang jbzhang99 peczony sergshabal luisgiraldo bbodenmiller redspider ghubgenius rajiv burzumishi tinyletero trinitr0 photodisorder dbykadorov nunodotferreira davidebersani voidcolin hammerandtongs cephurs macleodmike briancsparks mirocow samuraitaiga jbbarth oompahloompah visar alihalabyah addictlon karunamon bdrewery myano ivan-mezentsev jernejpraprotnik nerrickt nartuk jerieljan iulyus galagie joshcheek sigmaseven surabayablackhat youngdev paultreny star26bsd digitalsurvival gnovaro alejandorlazaro zhimsel elchappo irfan ryuichiueda jengyic sreschke80 opsgit xshield360 juwawe jamessthompson ftnk thatchristoph leung4080 misteritguru megaprof melbshark flames2014 derekschrock cherry-wb gema-arta intfrr rheber asifiqbal diishan dulumao vinsonzou matthews44 apasni brandontict anoopgecbh scottk212 olivierh59500 ch4p34un0ir ahen0910 ols3er

bashcheck's Issues

Segmentation fault under Snow Leopard

Hi there.

I ran bashcheck under Snow Leopard (10.6.8) and ran into a couple of issues, most noticeably a segmentation fault.

My bash version is:

GNU bash, version 3.2.48(1)-release (x86_64-apple-darwin10.0)

Here’s the output:

$ ./bashcheck
Vulnerable to CVE-2014-6271 (original shellshock)
Vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18: 97643 Segmentation fault      bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)

Typos

Correction for some typos:

diff --git a/bashcheck b/bashcheck
index c4309b6..57325f1 100755
--- a/bashcheck
+++ b/bashcheck
@@ -22,16 +22,16 @@ if [ -n "$(env 'a'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
    echo -e "\033[91mVariable function parser active, maybe vulnerable to unknown parser bugs\033[39m"
    scary=1
 elif [ -n "$(env 'BASH_FUNC_a%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
-   echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not explitable\033[39m"
+   echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not exploitable\033[39m"
    scary=0
 elif [ -n "$(env 'BASH_FUNC_a()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
-   echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not explitable\033[39m"
+   echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not exploitable\033[39m"
    scary=0
 elif [ -n "$(env 'BASH_FUNC_<a>%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
-   echo -e "\033[92mVariable function parser pre/suffixed [<..>%%, apple], bugs not explitable\033[39m"
+   echo -e "\033[92mVariable function parser pre/suffixed [<..>%%, apple], bugs not exploitable\033[39m"
    scary=0
 else
-   echo -e "\033[92mVariable function parser inactive, bugs not explitable\033[39m"
+   echo -e "\033[92mVariable function parser inactive, bugs not exploitable\033[39m"
    scary=0
 fi

Apple prefix and suffix seems wrong

The code currently uses the following to test patched Apple bash versions:

env 'BASH_FUNC_<a>%%'=

Which implies BASH_FUNC_< and >%% suffix. However, it's not what is documented by Apple:

http://support.apple.com/kb/HT6495

The names of all environment variables that introduce function definitions are required to have a prefix "__BASH_FUNC<" and suffix ">()" ...

I don't have a way to test, only pointing out inconsistency with what I found documented in the official update documentation and internet discussions.

line66,CVE-2014-7187, not working

I think current code would not work property for CVE-2014-7187.
wrong
(snip)"for x$i in; do :;"(snip)
right
(snip)"for x$i in; do :"(snip)

meybe...

Better Message for CVE-2014-7187 Please

'Test for CVE-2014-7187 not reliable without address sanitizer' is meaningful to the average user.

Do I need to install something else to make this run this test? Or does this mean it is not relevant?

Please can there be a more descriptive message that advises how to proceed?

Thanks

output is not readable on a light terminal :)

The output is not readable on a not black/dark terminal.

OSX segmentation fault.

Origin.
MBP-DEVELOP:~ MBP-Devrop$ ./bashorig.sh
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
./bashorig.sh: line 15: 10880 Segmentation fault: 11 bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs

Change to Line 18.(Line no is your git original code)
Origin
bash -c "true $(printf '<<EOF %.0s' {1..79})" 2>/dev/null"
Modfi
bash -c "true $(printf '<<EOF %.0s' {1..79})" 2>/dev/null

Result.
MBP-DEVELOP:~ MBP-Devrop$ ./bashtest.good
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs

Please confirm.
Regards

Make output coloring optional

I'm having a cosmetic issue: When run on a black-on-white terminal, at least the yellow output is nearly complete unreadable and I have to copy-and-paste it to be able to actually read it. Please either provide a switch to deactivate coloring or detect whether the output goes to a terminal and show colors only then, so that './bashcheck | cat' removes the colors, like ls does.

Non-portable color escape codes

I assume that the escape codes in this script display very nice colors on your platform, but they do not appear correctly in my terminal.

Are they necessary? I'll send a separate pull request to remove them.

insecure use of /tmp

Tests for CVE-2014-7169 and CVE-2014-7186 create temporary files insecurely.

Old bash versions doesn't support `bash --version'

I think using `bash -c 'echo $BASH_VERSION'' is better to avoid "unknown option" message.

Solaris issues

On solaris script produces two errors - one is for missing option for grep, the other is about unremovable directory.
Would very much appreciate fixing it.

Testing /usr/bin/bash ...
GNU bash, version 3.2.52(1)-release (sparc-sun-solaris2.10)

Variable function parser pre/suffixed [(), redhat], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
grep: illegal option -- q
Usage: grep -hblcnsviw pattern file . . .
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)
rm: Cannot remove any directory in the path of the current working directory
/tmp/tmp.XX_BaOQT

Segfault in CentOS 6.x

I have tried the script and output seems fine, but my /var/log/messages gets a segfault whenever i run it. Anybody have a clue to why ?

Tried running each test for the vulnerablilites seperately and not problems there, but the script gives a segfault though still correct output.

Oct 17 16:06:26 localhost kernel: bash[1440]: segfault at 0 ip 00007fa34976e451 sp 00007fff998aa168 error 4 in libc-2.12.so[7fa3496ed000+18b000]

root@localhost ~]# bash --version
GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)

This seems to be last version in my CentOS repository. I tried to reproduce the same problem on an new ubuntu and not issues here.

please have a look at przhu's fork of bashcheck

przhu has modified your script and now my console shows avulnerability:

Vulnerable to CVE-2014-7187 (nessted loops off by one)

https://github.com/przhu/bashcheck

another check

If you run this shellshock test:
https://gist.github.com/KalenAnson/231db4b468fc53a5ae7d
(https://gist.github.com/231db4b468fc53a5ae7d.git )
I get a positive, while with this `bashcheck test i get none

What's the expected output for the -7186 test?

i'm still getting vulnerable results from macs running the official apple bash fix. After the changes made to that test today, i'm not clear if that's the expected outcome or not. Should patched machines show vulnerable for the -7186 test or no?