What is #shellshock?

Shellshock (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187) is a vulnerability in GNU's bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in since Tue Sep 30 2014: 1:32PM EST (See patch history), you're most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.

You can use this website to test if your system is vulnerable, and also learn how to patch the vulnerability so you are no longer at risk for attack.

Join the discussion below.

   

Website Shocker

Loading website tester...

Testing Your System

To test your system, you can simply run this one liner below to find if you're vulnerable.

curl https://shellshocker.net/shellshock_test.sh | bash

You can view the source of shellshock_test.sh on GitHub.

If you want to test each exploit individually without running the script above, feel free! They are listed below.

Exploit 1 (CVE-2014-6271)

There are a few different ways to test if your system is vulnerable to shellshock. Try running the following command in a shell.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see "vulnerable" you need to update bash. Otherwise, you should be good to go.

Exploit 2 (CVE-2014-7169)

Even after upgrading bash you may still be vulnerable to this exploit. Try running the following code.

env X='() { (shellshocker.net)=>\' bash -c "echo date"; cat echo; rm ./echo

If the above command outputs the current date (it may also show errors), you are still vulnerable.

Exploit 3 (???)

Here is another variation of the exploit. Please leave a comment below if you know the CVE of this exploit.

env X=' () { }; echo hello' bash -c 'date'

If the above command outputs "hello", you are vulnerable.

Exploit 4 (CVE-2014-7186)

bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' ||
echo "CVE-2014-7186 vulnerable, redir_stack"

A vulnerable system will echo the text "CVE-2014-7186 vulnerable, redir_stack".

Exploit 5 (CVE-2014-7187)

(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||
echo "CVE-2014-7187 vulnerable, word_lineno"

A vulnerable system will echo the text "CVE-2014-7187 vulnerable, word_lineno".

Exploit 6 (CVE-2014-6278)

shellshocker='() { echo You are vulnerable; }' bash -c shellshocker

You shouldn't see "You are vulnerable", if you're patched you will see "bash: shellshocker: command not found"

Exploit 7 (CVE-2014-6277)

bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable

If the command outputs "vulnerable", you are vulnerable.


If you've tested your system, please leave a comment below. Don't forget to include your bash version and what OS you're running. Type bash --version for bash, and cat /etc/*release* for your OS.

How to fix ShellShock

CentOS, Ubuntu, Linux systems

Shellshock is a vulnerability in bash. In order to patch your vulnerable system, you will need to get the most up to date version of bash available from GNU.org.

Depending on your package manager (yum, apt-get, etc) you may be able to just run a yum update and you'll be good to go.

Here's how that's done:

yum update bash -y

For Ubuntu Systems:

apt-get update; apt-get install --only-upgrade bash

For Arch Linux:

pacman -Syu

If your package manager doesn't find an update, you will need to build bash from src.

Building From Source

You can patch bash with one command using our bash patcher, just run the following command and you should be good to go!

Make sure you have patch installed before you run this command. sudo apt-get install patch (yum install patch) etc...

curl https://shellshocker.net/fixbash | sh

If you want to do it yourself, feel free. Here are all the commands you'll need.

cd ~/
mkdir bash
cd bash
wget https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
while [ true ]; do i=`expr $i + 1`; wget -N https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$(printf '%03g' $i); if [ $? -ne 0 ]; then break; fi; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
for p in `ls ../bash43-[0-9][0-9][0-9]`; do patch -p0 < $p; done
./configure && make && make install

OS X

If you're running OS X, Apple has released official patches for Mavericks, Mountain Lion and Lion.

You can also download and compile bash yourself using brew or MacPorts.

We recommend using brew - Go to http://brew.sh/ and install brew on your system.

Once you have brew installed, run the following commands to update your system

brew update
brew install bash
sudo sh -c 'echo "/usr/local/bin/bash" >> /etc/shells'
chsh -s /usr/local/bin/bash
sudo mv /bin/bash /bin/bash-backup
sudo ln -s /usr/local/bin/bash /bin/bash

If you're using MacPorts, run the following:

sudo port selfupdate
sudo port upgrade bash

Once you've updated, try the exploit again and report back your findings.

API

If you're a third party developer and you'd like to integrate shellshocker into your application (perfect for browser extensions), here is the API.

Shock API

Send a GET or POST request to:

https://shellshocker.net/shock?url=https://example.com

You will get a JSON object with a status and a message.

status of 0 (Failure) with a failure message. status of 1 (Vulnerable) with a message. status of 2 (Maybe) and a message. status of 3 (404 or 403) and the response message.

Shock Stats API

Send a GET request to:

https://shellshocker.net/stats

You will get a JSON object with total_vulnerable and total tests.

Please note: If you use our API, please provide a link back to this page and let your users know that the results are provided by shellshocker.net. If you do not, we will revoke API requests from your utility.

Server Admins

Welcome! You're probably here because you see messages in your access logs that look like this:

#Your system may be vulnerable to ShellShock. Please visit https://shellshocker.net/ for more information.

No need to worry, everything you need to know is on this page. Learn how to test and patch your server, just click here to get started.

Comments

comments powered by Disqus

Like the site? bitcoin: 16fRZC2r4Nwn6fxMnXfPvNdJLgWpvaiVTG