Help

Shellshock reporting

bvandepol
New Contributor III

Posted on ‎10-02-2014 03:35 AM

Our management wants a report of the systems that are vulnerable to the Shellshock bug.

I'm not an experienced scripter, but I want to have the result -> vulnerable | safe to in a variable so I can drop this in a PLIST and use an extension attribute for reporting. This may not be best practice, but this is how it's been requested.

$RESULT='env x='() { :;}; echo vulnerable' bash -c "safe"'; ==> Result to PLIST file
I hope somebody can help me out. Thanks

0 Kudos
6 REPLIES 6

Niels_Illem
New Contributor II

Posted on ‎10-02-2014 05:01 AM

Just create an extension attribute like this one:

#!/bin/bash         

echo "<result>`env x='() { :;}; echo kwetsbaar' bash -c " "`</result>"

exit 0

Ja in het Nederlands ;-) kom je morgen naar JNUG Amsterdam? https://jamfnation.jamfsoftware.com/discussion.html?id=10947

0 Kudos

jcurrin
New Contributor III

Posted on ‎10-02-2014 06:10 AM

I created an extension attribute which reports back your bash version. There will be numerous versions of bash patches so I felt this was the best way of reporting back. 

#!/bin/sh

RESULT=$(bash --version | awk {'print $4'} | tr -d "
" | sed -e 's/-.*//g')
echo "<result>$RESULT</result>"

exit 0
0 Kudos

rmanly
Contributor III

Posted on ‎10-02-2014 08:22 AM

bash maintains it's own internal variables with version info.

http://tldp.org/LDP/abs/html/internalvariables.html

#!/bin/bash

echo "<result>${BASH_VERSINFO[2]}</result>"

ryan@AIR-ML-RMANLY test $ ./test
<result>53</result>
ryan@AIR-ML-RMANLY test $ cat ./test
#!/bin/bash

echo "<result>${BASH_VERSINFO[2]}</result>"
ryan@AIR-ML-RMANLY test $ /bin/bash
ryan@AIR-ML-RMANLY test $ echo $BASH_VERSION
3.2.53(1)-release
ryan@AIR-ML-RMANLY test $ exit

0 Kudos

nkalister
Valued Contributor

Posted on ‎10-02-2014 10:00 AM

Here's what I'm using- reports on the three big issues: 6271, 7169 and 6278.

# test for CVE-2014-6271 aka original shellshock
r=`x="() { :; }; echo x" bash -c ""`
if [ -n "$r" ]; then
    result="Vulnerable to CVE-2014-6271"
else
    result="CVE-2014-6271 is patched"
fi
cd /tmp;rm echo 2>/dev/null

# test for CVE-2014-7169
X='() { function a a>' bash -c echo 2>/dev/null > /dev/null
if [ -e echo ]; then
    result="${result} Vulnerable to CVE-2014-7169"
else
    result="${result} CVE-2014-7169 is patched"
fi

# test for CVE-2014-6278
z=`a="() { echo x;}" bash -c a 2>/dev/null`
if [ -n "$z" ]; then 
    result="${result} Vulnerable to CVE-2014-6278"
else
    result="${result} CVE-2014-6278 is patched"
fi
echo "<result>$result</result>"
0 Kudos

ahambidge
New Contributor II

Posted on ‎10-03-2014 07:59 AM

I am extremely fortunate to have a UNIX guy in my shop, so he was able to assist me with awk & cut to get just the version info from "bash --version", like below...

#!/bin/bash

bashver=`bash --version | awk '/GNU/ {print $4}'| cut -d '(' -f1`

echo "<result>$bashver</result>"

exit
0 Kudos

mm2270
Legendary Contributor III

Posted on ‎10-03-2014 08:55 AM

Hmm. Seems to me that @rmanly's approach is the best if we're talking about just pulling the bash version. I always forget about internal variables, so thanks rmanly for pointing that out!

Here's what I would use to report the full version in an EA:

#!/bin/sh

echo "<result>$(echo $BASH_VERSION | cut -d'(' -f1)</result>"
0 Kudos