not getting the right response to vulnerability test

Christo Larsen Christo.Larsen at bytes.co.za
Mon Oct 6 21:26:37 UTC 2014


Hi

Just as info.

Also update my systems, and I just get the "this is a test" message.
No other errors.

Regards
Christo

________________________________

From: Nils Kassube<mailto:%3Ca%3Ekassube at gmx.net%3C/a%3E>
Sent: Monday, October 06, 2014 8:54PM
To: Kubuntu-users<mailto:%3Ca%3Ekubuntu-users at lists.ubuntu.com%3C/a%3E>
Subject: Re: not getting the right response to vulnerability test




Bob Scott wrote:


I used "env x='() { :;}; echo vulnerable' bash -c 'echo hello'",
discovered I was vulnerable then performed upgrade. The subsequent
test results in the response "hello" without the bash statements:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

Does the absence of "vulnerable" mean the updating was successful?



It seems that nobody who knows the details has an answer - and I don't
claim to really _know_ the answer. But the original problem of the
shellshock vulnerability was that bash would allow to define a function
as part of the call parameters which could be executed later to be used
for exploits. The update for this original vulnerability resulted in an
error message if such a function was defined, like you expected. And it
also printed the text "hello".

However there were other vulnerabilities found later which resulted in
another update. Obviously that later update simultaneously removed the
error message for the test you posted. Again, the original shellshock
vulnerability would allow a function definition by call parameters. Your
test would execute that function and print the message "vulnerable". Now
after the second update the message is "hello" which means that bash is
not vulnerable. IMHO it doesn't matter that there is no error message.
It is only important that the exploit code would not be executed.

So I would say that your bash version is not vulnerable for the
shellshock problem. And BTW I don't see the error message either on
those machines which have the second update installed.


Nils




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kubuntu-users/attachments/20141006/ca4d585c/attachment.html>


More information about the kubuntu-users mailing list