not getting the right response to vulnerability test

Nils Kassube kassube at gmx.net
Mon Oct 6 18:54:50 UTC 2014


Bob Scott wrote:
> I used "env x='() { :;}; echo vulnerable' bash -c 'echo hello'",
> discovered I was vulnerable then performed upgrade. The subsequent
> test results in the response "hello" without the bash statements:
> 
> bash: warning: x: ignoring function definition attempt
> bash: error importing function definition for `x'
> 
> Does the absence of "vulnerable" mean the updating was successful?

It seems that nobody who knows the details has an answer - and I don't 
claim to really _know_ the answer. But the original problem of the 
shellshock vulnerability was that bash would allow to define a function 
as part of the call parameters which could be executed later to be used 
for exploits. The update for this original vulnerability resulted in an 
error message if such a function was defined, like you expected. And it 
also printed the text "hello".

However there were other vulnerabilities found later which resulted in 
another update. Obviously that later update simultaneously removed the 
error message for the test you posted. Again, the original shellshock 
vulnerability would allow a function definition by call parameters. Your 
test would execute that function and print the message "vulnerable". Now 
after the second update the message is "hello" which means that bash is 
not vulnerable. IMHO it doesn't matter that there is no error message. 
It is only important that the exploit code would not be executed.

So I would say that your bash version is not vulnerable for the 
shellshock problem. And BTW I don't see the error message either on 
those machines which have the second update installed.


Nils





More information about the kubuntu-users mailing list