hannob / bashcheck Goto Github PK
View Code? Open in Web Editor NEWtest script for shellshocker and related vulnerabilities
License: Creative Commons Zero v1.0 Universal
test script for shellshocker and related vulnerabilities
License: Creative Commons Zero v1.0 Universal
Tests for CVE-2014-7169 and CVE-2014-7186 create temporary files insecurely.
Correction for some typos:
diff --git a/bashcheck b/bashcheck
index c4309b6..57325f1 100755
--- a/bashcheck
+++ b/bashcheck
@@ -22,16 +22,16 @@ if [ -n "$(env 'a'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
echo -e "\033[91mVariable function parser active, maybe vulnerable to unknown parser bugs\033[39m"
scary=1
elif [ -n "$(env 'BASH_FUNC_a%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
- echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not explitable\033[39m"
+ echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not exploitable\033[39m"
scary=0
elif [ -n "$(env 'BASH_FUNC_a()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
- echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not explitable\033[39m"
+ echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not exploitable\033[39m"
scary=0
elif [ -n "$(env 'BASH_FUNC_<a>%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
- echo -e "\033[92mVariable function parser pre/suffixed [<..>%%, apple], bugs not explitable\033[39m"
+ echo -e "\033[92mVariable function parser pre/suffixed [<..>%%, apple], bugs not exploitable\033[39m"
scary=0
else
- echo -e "\033[92mVariable function parser inactive, bugs not explitable\033[39m"
+ echo -e "\033[92mVariable function parser inactive, bugs not exploitable\033[39m"
scary=0
fi
If you run this shellshock test:
https://gist.github.com/KalenAnson/231db4b468fc53a5ae7d
(https://gist.github.com/231db4b468fc53a5ae7d.git )
I get a positive, while with this `bashcheck test i get none
przhu has modified your script and now my console shows avulnerability:
Vulnerable to CVE-2014-7187 (nessted loops off by one)
I think using `bash -c 'echo $BASH_VERSION'' is better to avoid "unknown option" message.
I think current code would not work property for CVE-2014-7187.
wrong
(snip)"for x$i in; do :;"(snip)
right
(snip)"for x$i in; do :"(snip)
meybe...
I'm having a cosmetic issue: When run on a black-on-white terminal, at least the yellow output is nearly complete unreadable and I have to copy-and-paste it to be able to actually read it. Please either provide a switch to deactivate coloring or detect whether the output goes to a terminal and show colors only then, so that './bashcheck | cat' removes the colors, like ls does.
On solaris script produces two errors - one is for missing option for grep, the other is about unremovable directory.
Would very much appreciate fixing it.
Testing /usr/bin/bash ...
GNU bash, version 3.2.52(1)-release (sparc-sun-solaris2.10)
Variable function parser pre/suffixed [(), redhat], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
grep: illegal option -- q
Usage: grep -hblcnsviw pattern file . . .
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)
rm: Cannot remove any directory in the path of the current working directory
/tmp/tmp.XX_BaOQT
'Test for CVE-2014-7187 not reliable without address sanitizer' is meaningful to the average user.
Do I need to install something else to make this run this test? Or does this mean it is not relevant?
Please can there be a more descriptive message that advises how to proceed?
Thanks
The code currently uses the following to test patched Apple bash versions:
env 'BASH_FUNC_<a>%%'=
Which implies BASH_FUNC_<
and >%%
suffix. However, it's not what is documented by Apple:
http://support.apple.com/kb/HT6495
The names of all environment variables that introduce function definitions are required to have a prefix "
__BASH_FUNC<
" and suffix ">()
" ...
I don't have a way to test, only pointing out inconsistency with what I found documented in the official update documentation and internet discussions.
I have tried the script and output seems fine, but my /var/log/messages gets a segfault whenever i run it. Anybody have a clue to why ?
Tried running each test for the vulnerablilites seperately and not problems there, but the script gives a segfault though still correct output.
Oct 17 16:06:26 localhost kernel: bash[1440]: segfault at 0 ip 00007fa34976e451 sp 00007fff998aa168 error 4 in libc-2.12.so[7fa3496ed000+18b000]
root@localhost ~]# bash --version
GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)
This seems to be last version in my CentOS repository. I tried to reproduce the same problem on an new ubuntu and not issues here.
i'm still getting vulnerable results from macs running the official apple bash fix. After the changes made to that test today, i'm not clear if that's the expected outcome or not. Should patched machines show vulnerable for the -7186 test or no?
Origin.
MBP-DEVELOP:~ MBP-Devrop$ ./bashorig.sh
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
./bashorig.sh: line 15: 10880 Segmentation fault: 11 bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
Change to Line 18.(Line no is your git original code)
Origin
bash -c "true $(printf '<<EOF %.0s' {1..79})" 2>/dev/null"
Modfi
bash -c "
true $(printf '<<EOF %.0s' {1..79})" 2>/dev/null
Result.
MBP-DEVELOP:~ MBP-Devrop$ ./bashtest.good
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
Please confirm.
Regards
The output is not readable on a not black/dark terminal.
Hi there.
I ran bashcheck under Snow Leopard (10.6.8) and ran into a couple of issues, most noticeably a segmentation fault.
My bash version is:
GNU bash, version 3.2.48(1)-release (x86_64-apple-darwin10.0)
Here’s the output:
$ ./bashcheck
Vulnerable to CVE-2014-6271 (original shellshock)
Vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18: 97643 Segmentation fault bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.