NST Shellshock Detection

From NST Wiki
Jump to: navigation, search

This page shows how to test whether the version of bash installed on your NST system has the Shellshock vulnerability.

Shellshock Detection

The following commands indicate the bash version running on a NST 20 based system which has the Shellshock vulnerability:

[user@nst ~]$ bash --version 
GNU bash, version 4.2.47(1)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
[user@nst ~]$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello
[user@nst ~]$ 

The output above shows that the echo vulnerable command was run by the env command (it should not have been). This is the indicator that the version of bash installed on this system has the Shellshock vulnerability.

Shellshock Removal

To remove the Shellshock vulnerability, you will need to update the version of the bash shell installed on your system. For a NST 20 based distribution (or any Fedora 20 based distribution), you can accomplish this by running the following command:

[user@nst ~]$ sudo yum update
[sudo] password for user: 
Loaded plugins: fastestmirror, filter-data, keys, langpacks, list-data

... lot's of output from yum ...

Total download size: 552 M
Is this ok [y/d/N]: y

... a lot more output from yum ...

Complete!
[user@nst ~]$

Once the bash package has been updated, you should see the following when testing for the Shellshock vulnerability:

[user@nst ~]$ bash --version 
GNU bash, version 4.2.48(1)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
[user@nst ~]$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
 hello
[user@nst ~]$ 

The lack of the "vulnerable" output indicates that the updated version of bash has been patched and is no longer contains the Shellshock vulnerability.