not getting the right response to vulnerability test
Nils Kassube
kassube at gmx.net
Mon Oct 6 18:54:50 UTC 2014
Bob Scott wrote:
> I used "env x='() { :;}; echo vulnerable' bash -c 'echo hello'",
> discovered I was vulnerable then performed upgrade. The subsequent
> test results in the response "hello" without the bash statements:
>
> bash: warning: x: ignoring function definition attempt
> bash: error importing function definition for `x'
>
> Does the absence of "vulnerable" mean the updating was successful?
It seems that nobody who knows the details has an answer - and I don't
claim to really _know_ the answer. But the original problem of the
shellshock vulnerability was that bash would allow to define a function
as part of the call parameters which could be executed later to be used
for exploits. The update for this original vulnerability resulted in an
error message if such a function was defined, like you expected. And it
also printed the text "hello".
However there were other vulnerabilities found later which resulted in
another update. Obviously that later update simultaneously removed the
error message for the test you posted. Again, the original shellshock
vulnerability would allow a function definition by call parameters. Your
test would execute that function and print the message "vulnerable". Now
after the second update the message is "hello" which means that bash is
not vulnerable. IMHO it doesn't matter that there is no error message.
It is only important that the exploit code would not be executed.
So I would say that your bash version is not vulnerable for the
shellshock problem. And BTW I don't see the error message either on
those machines which have the second update installed.
Nils
More information about the kubuntu-users
mailing list