Shellshock bug testing for vulnerability

There's a new bug that has been discovered recently, requiring affecting most linux systems running bash. You can read more about it here, but the question most often asked is: how to check if you are vulnerable? Here's a simple way to find out. Login to your Linux box and run the following:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

The output will be, if you are not vulnerable:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

If you are vulnerable:

vulnerable
this is a test

Update (Oct 2): Here's a newer version of the test script. It incorporates tests for all of the other bugs related to shellshock

Download link

Test results are self explanatory:

If not vulnerable (will appear in a healthy-green colour):

Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs

If vulnerable:

Variable function parser active, maybe vulnerable to unknown parser bugs
Vulnerable to CVE-2014-6271 (original shellshock)
Vulnerable to CVE-2014-7169 (taviso bug)
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Vulnerable to CVE-2014-6277 (lcamtuf bug #1)

	(613) 288-8124 (Ottawa)

	(877) 454-0758 (Toll-Free)

	This email address is being protected from spambots. You need JavaScript enabled to view it.
	This email address is being protected from spambots. You need JavaScript enabled to view it.
	Talk to ALT (fill out a form)

Shellshock bug testing for vulnerability

Contact ALT Today