Shellshock bug testing for vulnerability
There's a new bug that has been discovered recently, requiring affecting most linux systems running bash. You can read more about it here, but the question most often asked is: how to check if you are vulnerable? Here's a simple way to find out. Login to your Linux box and run the following:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
The output will be, if you are not vulnerable:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
If you are vulnerable:
vulnerable
this is a test
Update (Oct 2): Here's a newer version of the test script. It incorporates tests for all of the other bugs related to shellshock
Test results are self explanatory:
If not vulnerable (will appear in a healthy-green colour):
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
If vulnerable:
Variable function parser active, maybe vulnerable to unknown parser bugs
Vulnerable to CVE-2014-6271 (original shellshock)
Vulnerable to CVE-2014-7169 (taviso bug)
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Vulnerable to CVE-2014-6277 (lcamtuf bug #1)