├── LICENSE
├── README.md
└── bashcheck
/LICENSE:
--------------------------------------------------------------------------------
1 | CC0 1.0 Universal
2 |
3 | Statement of Purpose
4 |
5 | The laws of most jurisdictions throughout the world automatically confer
6 | exclusive Copyright and Related Rights (defined below) upon the creator and
7 | subsequent owner(s) (each and all, an "owner") of an original work of
8 | authorship and/or a database (each, a "Work").
9 |
10 | Certain owners wish to permanently relinquish those rights to a Work for the
11 | purpose of contributing to a commons of creative, cultural and scientific
12 | works ("Commons") that the public can reliably and without fear of later
13 | claims of infringement build upon, modify, incorporate in other works, reuse
14 | and redistribute as freely as possible in any form whatsoever and for any
15 | purposes, including without limitation commercial purposes. These owners may
16 | contribute to the Commons to promote the ideal of a free culture and the
17 | further production of creative, cultural and scientific works, or to gain
18 | reputation or greater distribution for their Work in part through the use and
19 | efforts of others.
20 |
21 | For these and/or other purposes and motivations, and without any expectation
22 | of additional consideration or compensation, the person associating CC0 with a
23 | Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
24 | and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
25 | and publicly distribute the Work under its terms, with knowledge of his or her
26 | Copyright and Related Rights in the Work and the meaning and intended legal
27 | effect of CC0 on those rights.
28 |
29 | 1. Copyright and Related Rights. A Work made available under CC0 may be
30 | protected by copyright and related or neighboring rights ("Copyright and
31 | Related Rights"). Copyright and Related Rights include, but are not limited
32 | to, the following:
33 |
34 | i. the right to reproduce, adapt, distribute, perform, display, communicate,
35 | and translate a Work;
36 |
37 | ii. moral rights retained by the original author(s) and/or performer(s);
38 |
39 | iii. publicity and privacy rights pertaining to a person's image or likeness
40 | depicted in a Work;
41 |
42 | iv. rights protecting against unfair competition in regards to a Work,
43 | subject to the limitations in paragraph 4(a), below;
44 |
45 | v. rights protecting the extraction, dissemination, use and reuse of data in
46 | a Work;
47 |
48 | vi. database rights (such as those arising under Directive 96/9/EC of the
49 | European Parliament and of the Council of 11 March 1996 on the legal
50 | protection of databases, and under any national implementation thereof,
51 | including any amended or successor version of such directive); and
52 |
53 | vii. other similar, equivalent or corresponding rights throughout the world
54 | based on applicable law or treaty, and any national implementations thereof.
55 |
56 | 2. Waiver. To the greatest extent permitted by, but not in contravention of,
57 | applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
58 | unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
59 | and Related Rights and associated claims and causes of action, whether now
60 | known or unknown (including existing as well as future claims and causes of
61 | action), in the Work (i) in all territories worldwide, (ii) for the maximum
62 | duration provided by applicable law or treaty (including future time
63 | extensions), (iii) in any current or future medium and for any number of
64 | copies, and (iv) for any purpose whatsoever, including without limitation
65 | commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
66 | the Waiver for the benefit of each member of the public at large and to the
67 | detriment of Affirmer's heirs and successors, fully intending that such Waiver
68 | shall not be subject to revocation, rescission, cancellation, termination, or
69 | any other legal or equitable action to disrupt the quiet enjoyment of the Work
70 | by the public as contemplated by Affirmer's express Statement of Purpose.
71 |
72 | 3. Public License Fallback. Should any part of the Waiver for any reason be
73 | judged legally invalid or ineffective under applicable law, then the Waiver
74 | shall be preserved to the maximum extent permitted taking into account
75 | Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
76 | is so judged Affirmer hereby grants to each affected person a royalty-free,
77 | non transferable, non sublicensable, non exclusive, irrevocable and
78 | unconditional license to exercise Affirmer's Copyright and Related Rights in
79 | the Work (i) in all territories worldwide, (ii) for the maximum duration
80 | provided by applicable law or treaty (including future time extensions), (iii)
81 | in any current or future medium and for any number of copies, and (iv) for any
82 | purpose whatsoever, including without limitation commercial, advertising or
83 | promotional purposes (the "License"). The License shall be deemed effective as
84 | of the date CC0 was applied by Affirmer to the Work. Should any part of the
85 | License for any reason be judged legally invalid or ineffective under
86 | applicable law, such partial invalidity or ineffectiveness shall not
87 | invalidate the remainder of the License, and in such case Affirmer hereby
88 | affirms that he or she will not (i) exercise any of his or her remaining
89 | Copyright and Related Rights in the Work or (ii) assert any associated claims
90 | and causes of action with respect to the Work, in either case contrary to
91 | Affirmer's express Statement of Purpose.
92 |
93 | 4. Limitations and Disclaimers.
94 |
95 | a. No trademark or patent rights held by Affirmer are waived, abandoned,
96 | surrendered, licensed or otherwise affected by this document.
97 |
98 | b. Affirmer offers the Work as-is and makes no representations or warranties
99 | of any kind concerning the Work, express, implied, statutory or otherwise,
100 | including without limitation warranties of title, merchantability, fitness
101 | for a particular purpose, non infringement, or the absence of latent or
102 | other defects, accuracy, or the present or absence of errors, whether or not
103 | discoverable, all to the greatest extent permissible under applicable law.
104 |
105 | c. Affirmer disclaims responsibility for clearing rights of other persons
106 | that may apply to the Work or any use thereof, including without limitation
107 | any person's Copyright and Related Rights in the Work. Further, Affirmer
108 | disclaims responsibility for obtaining any necessary consents, permissions
109 | or other rights required for any use of the Work.
110 |
111 | d. Affirmer understands and acknowledges that Creative Commons is not a
112 | party to this document and has no duty or obligation with respect to this
113 | CC0 or use of the Work.
114 |
115 | For more information, please see
116 |
117 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | bashcheck
2 | =========
3 |
4 | Test script for Shellshock and related vulnerabilities
5 |
6 | background
7 | ==========
8 |
9 | The Bash vulnerability that is now known as Shellshock had an incomplete
10 | fix at first. There are currently 6 public vulnerabilities.
11 |
12 | shellshock and heartbleed
13 | =========================
14 |
15 | I wrote down some general thoughts about recent events and security
16 | in free software:
17 | * https://blog.hboeck.de/archives/857-How-to-stop-Bleeding-Hearts-and-Shocking-Shells.html
18 |
19 | interpreting results
20 | ====================
21 |
22 | There's been some confusion how to interpret the results of this script
23 | and some people got scared by warnings on systems that didn't have any
24 | exploitable bugs.
25 |
26 | The most important fix you need is one of the prefix/suffix-patches. Upstream
27 | patch number for this is bash042-050 and bash043-027 (patches for older
28 | versions also available). This patch was originally created by RedHat
29 | developer Florian Weimer and a modified version was applied by Bash
30 | developer Chet Ramey.
31 |
32 | Once you have this prefix patch all other vulnerabilities are not exploitable.
33 | They are still bugs that should be fixed, but there is nothing to worry
34 | about.
35 |
36 |
37 | usage
38 | =====
39 |
40 | Just run script:
41 | `./bashcheck`
42 |
43 | CVE-2014-6271
44 | =============
45 |
46 | The original vulnerability.
47 |
48 | * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
49 |
50 | CVE-2014-7169
51 | =============
52 |
53 | Further parser error, found by Tavis Ormandy (taviso).
54 |
55 | * https://twitter.com/taviso/status/514887394294652929
56 | * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
57 |
58 | CVE-2014-7186
59 | =============
60 |
61 | Out of bound memory read error in redir_stack.
62 |
63 | * http://seclists.org/oss-sec/2014/q3/712
64 | * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
65 |
66 | CVE-2014-7187
67 | =============
68 |
69 | Off-by-one error in nested loops.
70 | (check only works when Bash is built with -fsanitize=address)
71 |
72 | * http://seclists.org/oss-sec/2014/q3/712
73 | * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
74 |
75 | CVE-2014-6277
76 | =============
77 |
78 | Uninitialized Memory use in make_redirect(), found by
79 | Michal Zalewski (lcamtuf).
80 |
81 | * http://lcamtuf.blogspot.de/2014/10/bash-bug-how-we-finally-cracked.html
82 | * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
83 |
84 | CVE-2014-6278
85 | =============
86 |
87 | Another parser bug, analysis still incomplete, also found
88 | by Michal Zalewski (lcamtuf).
89 |
90 | * http://lcamtuf.blogspot.de/2014/10/bash-bug-how-we-finally-cracked.html
91 | * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
92 |
93 | Patch recommendation
94 | ====================
95 |
96 | Latest upstream patches (4.3 since patchlevel 030, 4.2 since patchlevel 051)
97 | include all fixes.
98 |
99 | They also add prefixing to variable functions (a variant of Florian
100 | Weimer's patch). This protects from further function parser bugs and makes
101 | them likely not exploitable.
102 |
103 | My current recommendation: Use latest upstream patches.
104 |
--------------------------------------------------------------------------------
/bashcheck:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | warn() {
4 | if [ "$scary" == "1" ]; then
5 | echo -e "\033[91mVulnerable to $1\033[39m"
6 | else
7 | echo -e "\033[93mFound non-exploitable $1\033[39m"
8 | fi
9 | }
10 |
11 | good() {
12 | echo -e "\033[92mNot vulnerable to $1\033[39m"
13 | }
14 |
15 | tmpdir=`mktemp -d -t tmp.XXXXXXXX`
16 |
17 | [ -n "$1" ] && bash=$(which $1) || bash=$(which bash)
18 | echo -e "\033[95mTesting $bash ..."
19 | $bash -c 'echo "Bash version $BASH_VERSION"'
20 | echo -e "\033[39m"
21 |
22 | #r=`a="() { echo x;}" $bash -c a 2>/dev/null`
23 | if [ -n "$(env 'a'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
24 | echo -e "\033[91mVariable function parser active, maybe vulnerable to unknown parser bugs\033[39m"
25 | scary=1
26 | elif [ -n "$(env 'BASH_FUNC_a%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
27 | echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not exploitable\033[39m"
28 | scary=0
29 | elif [ -n "$(env 'BASH_FUNC_a()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
30 | echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not exploitable\033[39m"
31 | scary=0
32 | elif [ -n "$(env '__BASH_FUNC()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
33 | echo -e "\033[92mVariable function parser pre/suffixed [__BASH_FUNC<..>(), apple], bugs not exploitable\033[39m"
34 | scary=0
35 | else
36 | echo -e "\033[92mVariable function parser inactive, bugs not exploitable\033[39m"
37 | scary=0
38 | fi
39 |
40 |
41 | r=`env x="() { :; }; echo x" $bash -c "" 2>/dev/null`
42 | if [ -n "$r" ]; then
43 | warn "CVE-2014-6271 (original shellshock)"
44 | else
45 | good "CVE-2014-6271 (original shellshock)"
46 | fi
47 |
48 | pushd $tmpdir > /dev/null
49 | env x='() { function a a>\' $bash -c echo 2>/dev/null > /dev/null
50 | if [ -e echo ]; then
51 | warn "CVE-2014-7169 (taviso bug)"
52 | else
53 | good "CVE-2014-7169 (taviso bug)"
54 | fi
55 | popd > /dev/null
56 |
57 | $($bash -c "true $(printf '<$tmpdir/bashcheck.tmp)
58 | ret=$?
59 | grep AddressSanitizer $tmpdir/bashcheck.tmp > /dev/null
60 | if [ $? == 0 ] || [ $ret == 139 ]; then
61 | warn "CVE-2014-7186 (redir_stack bug)"
62 | else
63 | good "CVE-2014-7186 (redir_stack bug)"
64 | fi
65 |
66 |
67 | $bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null
68 | if [ $? != 0 ]; then
69 | warn "CVE-2014-7187 (nested loops off by one)"
70 | else
71 | echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m"
72 | fi
73 |
74 | $($bash -c "f(){ x(){ _;};x(){ _;}</dev/null)
75 | if [ $? != 0 ]; then
76 | warn "CVE-2014-6277 (lcamtuf bug #1)"
77 | else
78 | good "CVE-2014-6277 (lcamtuf bug #1)"
79 | fi
80 |
81 | if [ -n "$(env x='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
82 | warn "CVE-2014-6278 (lcamtuf bug #2)"
83 | elif [ -n "$(env BASH_FUNC_x%%='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
84 | warn "CVE-2014-6278 (lcamtuf bug #2)"
85 | elif [ -n "$(env 'BASH_FUNC_x()'='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
86 | warn "CVE-2014-6278 (lcamtuf bug #2)"
87 | else
88 | good "CVE-2014-6278 (lcamtuf bug #2)"
89 | fi
90 |
91 | rm -rf $tmpdir
92 |
--------------------------------------------------------------------------------