This test will show whether bash is vulnerable on your installation.
Code:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
If it is vulnerable, it will return
I tried to update my 12.04 installation from the Ubuntu repositories after the test showed bash to be vulnerable.
Trying to upgrade from the Ubuntu repositories left my bash vulnerable.
I downloaded bash4.3 source from Launchpad and compiled and installed it.
I still had a vulnerability.
I pulled this code from debian.org and saved it as build-bash.sh and, when I ran it, I was able to run the test and get
Here's the link for this script:
https://gist.github.com/mattwhite/86de50d30134129e44ef
Code:
# inspired by http://askubuntu.com/a/528171
# prerequisites
sudo apt-get install bison
# get bash 3.2 source
mkdir src && cd src
wget http://ftp.gnu.org/gnu/bash/bash-3.2.tar.gz
tar zxvf bash-3.2.tar.gz
cd bash-3.2
# download and apply all patches, including the latest one that patches CVE-2014-6271
for i in $(seq -f "%03g" 1 52); do
wget -nv http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-$i
patch -p0 < bash32-$i
done
# compile and install to /usr/local/bin/bash
./configure && make
sudo make install
# point /bin/bash to the new binary
sudo mv /bin/bash /bin/bash.old
sudo ln -s /usr/local/bin/bash /bin/bash
# test by comparing the output of the following
env x='() { :;}; echo vulnerable' /bin/bash.old -c echo
env x='() { :;}; echo vulnerable' bash -c echo
I hope this helps people.
Bookmarks