-
-
Save wilkinson/9fedbacb6917c9cf6e36 to your computer and use it in GitHub Desktop.
# To anyone worried about using servers that may not have attentive admins -- | |
# put the following line(s) in your ~/.bashrc to help protect yourself: | |
env x='() { :;}; echo "WARNING: SHELLSHOCK DETECTED"' \ | |
bash --norc -c ':' 2>/dev/null; | |
# It will print to stdout if and only if your shell is vulnerable, and nothing | |
# will be printed if your shell has been patched. It will take a little longer | |
# to launch a new shell slightly, but for some, this may be worth it. |
Add to the above (To identify which bash has the problem):
... DETECTED in $(which bash)"' \
One might have /usr/local/bin/bash in the path that is fixed, but is using /bin/bash which isn't -- giving one a false sense of security... thus also add the following:
if [ "$(which bash)" != "${BASH}" ]; then
env x='() { :;}; echo "WARNING: SHELLSHOCK DETECTED in ${BASH}"'
${BASH} --norc -c ':' 2>/dev/null;
if
Note: Using ${BASH} checks the actual bash used, rather than the bash in your current path..
And it could even be uglier... you aren't using /bin/bash in your shell, but the server is, add:
if [ "/bin/bash" != "${BASH}" ] &&
[ "/bin/bash" != "$(which bash)" ] &&
[ -x /bin/bash ]; then
env x='() { :;}; echo "WARNING: SHELLSHOCK DETECTED in /bin/bash"'
/bin/bash --norc -c ':' 2>/dev/null;
fi
if you are concerned about different bash versions on the system you might try to catch them all with something like
for exe in `which -a sh bash`; do
env x='() { :;}; echo "WARNING: SHELLSHOCK DETECTED in '$exe'"' \
$exe --norc -c : 2>/dev/null
done
Here, let's include ${BASH}, dedup the list, and add extra quotes for crazy people with whitespace in their filenames:
# Shellshock test
count=$( (echo ${BASH};which -a bash sh ) | sort -u | wc -l)
for (( a=1 ; $a<=$count; a=$a+1 )); do
exe="$((echo ${BASH};which -a bash sh ) | sort -u | head -$a | tail -1)"
env x='() { :;}; echo "WARNING: SHELLSHOCK DETECTED in $exe"' "$exe" --norc -c : 2>/dev/null
done
unset count exe a
Note: it turned out to be fiendishly hard to deal with whitespace in $BASH and $PATH.
To read more about "Shellshock", see the summary here.