BASH: Shellshock? Turtle Power?

  • All,

    I’m sure many of you have already seen or heard about this, but I feel obligated to just inform you all.


    Shell shock is a pretty significant “bug” that I think is quite more severe than the simple label of a “bug” but rather a very large shortcoming.

    Seeing as many of us are using FOG on linux servers, and a few of us are actually using our fog servers across the internet, I think it would behoove all of us to run our relevant update managers if only for this patch to be received.

  • Developer

    also, from the article, you can test with this
    [CODE]env X="() { :;} ; echo busted" /bin/sh -c “echo completed”
    env X="() { :;} ; echo busted" which bash -c “echo completed”[/CODE]
    [CODE]wget -U “() { test;};/usr/bin/touch /tmp/VULNERABLE” myserver/cgi-bin/test[/CODE]

  • Developer

    Anyone worried about this can run this one liner to see if you are vulnerable or not.

    Run this from a linux/osx box:

    (replace 1.2.3. with your subnet)

    for i in $(seq 1 253);do echo 1.2.3.$i;curl -s [url]$i|grep[/url] -B5 “Global Shellshock - The”|grep center;done

    It’s a little messy, but it does what it needs to do. Keep your eye out for a line that says “VULNERABLE” rather than “NOT VULNERABLE”.

    i.e. if your subnet is then for 1.2.3. you would place 255.255.0.