A new vulnerability in GNU Bash (referred to as the Shellshock Bash Bug) has been disclosed – every version upto the announcement of the issue on 24/September is exploitable and MUST be patched immediately.
This vulnerability allows hackers to remotely execute code on your server by passing a string following an environment variable
Exploitable systems include:
- Linux (and linux based) Servers
- Linux (and linux based) Desktops
- All Apple Devices
- Apache Webservers using mod_cgi / mod_cgid
- Various linux based embedded systems including routers, Raspberry Pis
etc.
Following the original exploit announcement, further vulnerabilities with Bash have been reported, so additional updates and patches are needed even if you patched the original.
See:
If you use any servers, desktops, laptops or devices that include ‘bash’ you should test and patch them immediately.
How To Test for Shellshock Bash Vulnerability
The following code should be run as root from a command prompt, entered all on one line, and will test your system for the bash exploit…
env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Tested"
If you have already patched your system, you will see the output
Bash Tested
– this is good 🙂
If you see
Bash is vulnerable!
Bash Tested
or
Bash is vulnerable!
Bash is vulnerable!
Bash Tested
– this is bad 🙁