Testing shellshock

1. #!/bin/bash
2.  
3. [ -n "$1" ] && bash=$(which $1) || bash=$(which bash)
4.  
5. echo -e "\033[95mTesting $bash ..."
6. echo $($bash --version | head -n 1)
7. echo -e "\033[39m"
8.  
9.  
10. r=`env x="() { :; }; echo x" $bash -c "" 2>/dev/null`
11. if [ -n "$r" ]; then
12.     echo -e '\033[91mVulnerable to CVE-2014-6271 (original shellshock)\033[39m'
13. else
14.     echo -e '\033[92mNot vulnerable to CVE-2014-6271 (original shellshock)\033[39m'
15. fi
16.  
17. cd /tmp;rm echo 2>/dev/null
18. env x='() { function a a>\' $bash -c echo 2>/dev/null > /dev/null
19. if [ -e echo ]; then
20.     echo -e "\033[91mVulnerable to CVE-2014-7169 (taviso bug)\033[39m"
21. else
22.     echo -e "\033[92mNot vulnerable to CVE-2014-7169 (taviso bug)\033[39m"
23. fi
24.  
25. $($bash -c "true $(printf '<<EOF %.0s' {1..80})" 2>/tmp/bashcheck.tmp)
26. ret=$?
27. grep -q AddressSanitizer /tmp/bashcheck.tmp
28. if [ $? == 0 ] || [ $ret == 139 ]; then
29.     echo -e "\033[91mVulnerable to CVE-2014-7186 (redir_stack bug)\033[39m"
30. else
31.     echo -e "\033[92mNot vulnerable to CVE-2014-7186 (redir_stack bug)\033[39m"
32. fi
33.  
34.  
35. $bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null
36. if [ $? != 0 ]; then
37.     echo -e "\033[91mVulnerable to CVE-2014-7187 (nested loops off by one)\033[39m"
38. else
39.     echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m"
40. fi
41.  
42. $($bash -c "f(){ x(){ _;};x(){ _;}<<a;}" 2>/dev/null)
43. if [ $? != 0 ]; then
44.     echo -e "\033[91mVulnerable to CVE-2014-6277 (lcamtuf bug #1) [no patch]\033[39m"
45. else
46.     echo -e "\033[92mNot vulnerable to CVE-2014-6277 (lcamtuf bug #1)\033[39m"
47. fi
48.  
49. if [ -n "$(env x='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
50.     echo -e "\033[91mVulnerable to CVE-2014-6278 (lcamtuf bug #2) [no prefix/suffix]\033[39m"
51. elif [ -n "$(env BASH_FUNC_x%%='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
52.     echo -e "\033[91mVulnerable to CVE-2014-6278 (lcamtuf bug #2) [prefix/%%-suffix]\033[39m"
53. elif [ -n "$(env 'BASH_FUNC_x()'='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
54.     echo -e "\033[91mVulnerable to CVE-2014-6278 (lcamtuf bug #2) [prefix/()-suffix]\033[39m"
55. else
56.     echo -e "\033[92mNot vulnerable to CVE-2014-6278 (lcamtuf bug #2)\033[39m"
57. fi
58.  
59.  
60. r=`a="() { echo x;}" $bash -c a 2>/dev/null`
61. if [ -n "$r" ]; then
62.     echo -e "\033[93mVariable function parser still active, maybe vulnerable to unknown parser bugs\033[39m"
63. else
64.     echo -e "\033[92mVariable function parser inactive, likely safe from unknown parser bugs\033[39m"
65. fi