BASH Vulnerability – ShellShock

Last month I blogged about the newest vulnerability in BASH. This has an official name now “ShellShock” and looks to be exploited in the wild with the botnet Mayhem which is aimed towards Linux systems.

Unfortunately it’s not just web servers which are vulnerable. There’s lots of devices out there which use Linux web servers, from home routers to mobile phones and other devices.

I’d recommend anyone using a Linux based system to do the following tests and check to make sure their system is not vulnerable. Tests for Shellshock Vulnerability

Further Information
Further Information

Remote Vulnerability in BASH

There’s been a report of a new code injection attack in Linux, using environment variables. In order to test to see if your system is vulnerable, run the following code from SSH:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If your OK, you should get something like this:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

If not, you will get something like this:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

BASH Screenshot

If vulnerable, it’s recommended to patch the BASH installation.

Further Information

%d bloggers like this: