How to test the bash CVE-2014-6271?

Question

Question: How do I know that I am affected or not by the bash CVE-2014-6271?

I just have to simply run a command on the server?

$ env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
vulnerable
this is a test
$

Not using it via SSH and example using ksh (but bash is installed).

UPDATE: if bash isn't the default shell, wouldn't it be easier to test it with:

bash -c "env x='() { :;}; echo vulnerable' bash -c echo this is a test"

UPDATE#2: the first part doesn't need bash.

score 0 · Answer 1 · answered Sep 25 '14 at 14:07

0

Try this code in your bash terminal. If your server is patched and the bug is fixed you got an error.

test="() { echo Hello; }; echo gehackt" bash -c ""

answered Sep 25 '14 at 14:07

OkieOth

I hear right now that also if this sample script brings no error you can't be sure the problem is solved. The latest patch for Ubuntu fix the problem in the sample above but there should be related problems that not fixed currently :-( – OkieOth Sep 25 '14 at 14:13

1 Answers1