From 80a7ee8b3de565ab4d06b7031a6de930047e3f0f Mon Sep 17 00:00:00 2001 From: Chris Koeritz Date: Fri, 12 Dec 2014 13:35:53 -0500 Subject: [PATCH] adding in test for shellshock bug to be run on unix systems with bash; original url was added to the file. --- scripts/security/shellshock_test.sh | 85 +++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 scripts/security/shellshock_test.sh diff --git a/scripts/security/shellshock_test.sh b/scripts/security/shellshock_test.sh new file mode 100644 index 00000000..82a2b794 --- /dev/null +++ b/scripts/security/shellshock_test.sh @@ -0,0 +1,85 @@ +#!/bin/bash +EXITCODE=0 + +# this file was downloaded with this command: +# curl https://shellshocker.net/shellshock_test.sh >shellshock_test.sh + +# CVE-2014-6271 +CVE20146271=$(env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test" 2>&1 | grep 'vulnerable' | wc -l) + +echo -n "CVE-2014-6271 (original shellshock): " +if [ $CVE20146271 -gt 0 ]; then + echo -e "\033[91mVULNERABLE\033[39m" + EXITCODE=$((EXITCODE+1)) +else + echo -e "\033[92mnot vulnerable\033[39m" +fi + +# CVE-2014-6277 +# it is fully mitigated by the environment function prefix passing avoidance +CVE20146277=$((shellshocker="() { x() { _;}; x() { _;} </dev/null || echo vulnerable) | grep 'vulnerable' | wc -l) + +echo -n "CVE-2014-6277 (segfault): " +if [ $CVE20146277 -gt 0 ]; then + echo -e "\033[91mVULNERABLE\033[39m" + EXITCODE=$((EXITCODE+2)) +else + echo -e "\033[92mnot vulnerable\033[39m" +fi + +# CVE-2014-6278 +CVE20146278=$(shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | grep 'vulnerable' | wc -l) + +echo -n "CVE-2014-6278 (Florian's patch): " +if [ $CVE20146278 -gt 0 ]; then + echo -e "\033[91mVULNERABLE\033[39m" + EXITCODE=$((EXITCODE+4)) +else + echo -e "\033[92mnot vulnerable\033[39m" +fi + +# CVE-2014-7169 +CVE20147169=$((cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ "$(cat echo 2> /dev/null)" == "nonvuln" ]] && echo "vulnerable" 2> /dev/null) | grep 'vulnerable' | wc -l) + +echo -n "CVE-2014-7169 (taviso bug): " +if [ $CVE20147169 -gt 0 ]; then + echo -e "\033[91mVULNERABLE\033[39m" + EXITCODE=$((EXITCODE+8)) +else + echo -e "\033[92mnot vulnerable\033[39m" +fi + +# CVE-2014-7186 +CVE20147186=$((bash -c 'true </dev/null || echo "vulnerable") | grep 'vulnerable' | wc -l) + +echo -n "CVE-2014-7186 (redir_stack bug): " +if [ $CVE20147186 -gt 0 ]; then + echo -e "\033[91mVULNERABLE\033[39m" + EXITCODE=$((EXITCODE+16)) +else + echo -e "\033[92mnot vulnerable\033[39m" +fi + +# CVE-2014-7187 +CVE20147187=$(((for x in {1..200}; do echo "for x$x in ; do :"; done; for x in {1..200}; do echo done; done) | bash || echo "vulnerable") | grep 'vulnerable' | wc -l) + +echo -n "CVE-2014-7187 (nested loops off by one): " +if [ $CVE20147187 -gt 0 ]; then + echo -e "\033[91mVULNERABLE\033[39m" + EXITCODE=$((EXITCODE+32)) +else + echo -e "\033[92mnot vulnerable\033[39m" +fi + +# CVE-2014-//// +CVE2014=$(env X=' () { }; echo vulnerable' bash -c 'date' | grep 'vulnerable' | wc -l) + +echo -n "CVE-2014-//// (exploit 3 on http://shellshocker.net/): " +if [ $CVE2014 -gt 0 ]; then + echo -e "\033[91mVULNERABLE\033[39m" + EXITCODE=$((EXITCODE+64)) +else + echo -e "\033[92mnot vulnerable\033[39m" +fi + +exit $EXITCODE -- 2.34.1