Vulnerability test for CVE-2014-7169 (Shellshock)

Asked Sep 27 '14 at 06:35

Active Sep 28 '14 at 09:24

Viewed 91 times

I found this test here for the Shellshock vulnerability follow-up CVE-2014-7169 , which is basicaly doing:

echo `env X='() { (a)=>\' sh -c "echo '[Vulnerability CVE-2014-7169 Detected]'" 2> /dev/null; cat echo 2> /dev/null`

Is this the correct way to test the vulnerability? And why does it involve sh and not bash?

My default shell is bash on one server:

ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Okt 18  2013 /bin/sh -> bash

and dash on another, where the test is also positive.

(if that's a problem, would it cause problems if I changed the default shell??)

edited Sep 28 '14 at 09:24

asked Sep 27 '14 at 06:35

rubo77

The part that includes `sh` is a piece of the payload, not the exploit. – Iszi Sep 27 '14 at 08:21
Maybe a false positive? https://github.com/hannob/bashcheck/issues/6#issuecomment-57081774 – rubo77 Sep 28 '14 at 12:15

0 Answers0