Skip to content

Instantly share code, notes, and snippets.

@wilkinson

wilkinson/.bashrc

Created September 25, 2014 18:56
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save wilkinson/9fedbacb6917c9cf6e36 to your computer and use it in GitHub Desktop.
Save wilkinson/9fedbacb6917c9cf6e36 to your computer and use it in GitHub Desktop.
Download ZIP
Shellshock check for bashrc
Raw
.bashrc
# To anyone worried about using servers that may not have attentive admins --
# put the following line(s) in your ~/.bashrc to help protect yourself:
env x='() { :;}; echo "WARNING: SHELLSHOCK DETECTED"' \
bash --norc -c ':' 2>/dev/null;
# It will print to stdout if and only if your shell is vulnerable, and nothing
# will be printed if your shell has been patched. It will take a little longer
# to launch a new shell slightly, but for some, this may be worth it.
@wilkinson
Copy link
Author

To read more about "Shellshock", see the summary here.

@JuanitoMoore
Copy link

Add to the above (To identify which bash has the problem):

... DETECTED in $(which bash)"' \

One might have /usr/local/bin/bash in the path that is fixed, but is using /bin/bash which isn't -- giving one a false sense of security... thus also add the following:

if [ "$(which bash)" != "${BASH}" ]; then
env x='() { :;}; echo "WARNING: SHELLSHOCK DETECTED in ${BASH}"'
${BASH} --norc -c ':' 2>/dev/null;
if

Note: Using ${BASH} checks the actual bash used, rather than the bash in your current path..

And it could even be uglier... you aren't using /bin/bash in your shell, but the server is, add:

if [ "/bin/bash" != "${BASH}" ] &&
[ "/bin/bash" != "$(which bash)" ] &&
[ -x /bin/bash ]; then
env x='() { :;}; echo "WARNING: SHELLSHOCK DETECTED in /bin/bash"'
/bin/bash --norc -c ':' 2>/dev/null;
fi

@lucc
Copy link

lucc commented Sep 26, 2014

if you are concerned about different bash versions on the system you might try to catch them all with something like

for exe in `which -a sh bash`; do
  env x='() { :;}; echo "WARNING: SHELLSHOCK DETECTED in '$exe'"' \
    $exe --norc -c : 2>/dev/null
done

@PenelopeFudd
Copy link

Here, let's include ${BASH}, dedup the list, and add extra quotes for crazy people with whitespace in their filenames:

# Shellshock test 
count=$( (echo ${BASH};which -a bash sh ) | sort -u | wc -l)
for (( a=1 ; $a<=$count; a=$a+1 )); do
  exe="$((echo ${BASH};which -a bash sh ) | sort -u | head -$a | tail -1)"
  env x='() { :;}; echo "WARNING: SHELLSHOCK DETECTED in $exe"' "$exe" --norc -c : 2>/dev/null
done
unset count exe a

Note: it turned out to be fiendishly hard to deal with whitespace in $BASH and $PATH.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment