Bash ShellShock

Daniel Schutterop
30-09-2014

OK. It’s been all over the news, we all know about the bash ‘ShellShock’ exploit. The numerous proofs-of-concept and articles regarding this bug (mostly coming from companies trying to profile themselves by screaming loudest) have risen to the surface in the aftermath of the cherry bomb that was launched into the relatively quiet pond.

In order to patch the vulnerability in my own environment, I wrote a modest Nagios NRPE check to test for the vulnerability and a puppet modules (which says nothing more than package { ‘bash’: ensure => ‘latest’, } as we release our patches in a controlled fashion.

Using Nagios to check for vulnerabilities isn’t new, in fact, i use this method regularly to ensure that machines aren’t carrying the ancient bugs we kow and hate.

check_bash_vulnerable.sh

#!/bin/ksh
################################################################################
# Simple script to get the Ambient cpu_usage out of an HP server #
# Author: Daniel Schutterop #
################################################################################

# ./check_ping -H 127.0.0.1 -w 100.0,20% -c 500.0,60% -p 5

VERSION="Version 1.0"
AUTHOR="D. Schutterop"
PROGNAME='/bin/basename $0'
# Exit codes
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3

# Helper functions #############################################################

function print_revision {

 # Print the revision number

 echo "$PROGNAME - $VERSION"

}

function print_usage {

 # Print a short usage statement

 echo "Usage: $PROGNAME"

}

function print_help {

 # Print detailed help information

 print_revision

 echo "$AUTHOR\n\nCheck if bash on this machine is vulnerable to the bash ShellShock vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271)\n"

 print_usage

 /bin/cat <<__EOT

Options:

-h

 Print detailed help screen

-V

 Print version information

-v

 Verbose output
__EOT

}

# Main #########################################################################

# Verbosity level

verbosity=0

# Warning threshold

thresh_warn=

# Critical threshold

thresh_crit=

# Parse command line options

checkBashBleed=$(env x='() { :;}; echo vulnerable' bash -c "echo this is a test"|grep vulnerable | wc -l)


if [ 'echo $checkBashBleed' -eq 1 ]; then

 echo "Vulnerable system - This machine is vulnerable to the bash ShellShock exploit"

 exit $STATE_CRITICAL

fi

if [ 'echo $checkBashBleed' -eq 0  ]; then

 echo "Not vulnerable to the bash ShellShock exploit"

 exit $STATE_OK

fi

LEAVE A REPLY

you might also like