Comments (5)
Does the above commit address your bash/ksh concerns?
I didn't understand the need for the suggested modification to L49. Can you explain?
from shellshocker.
That commit should make the script sh compat again, yes.
It is just not good practice to parse ls. It shouldn't be an issue in this script since all the filenames are known, but it's not needed. the shell can iterate over files using globbing without using ls. ls is for human consumption.
from shellshocker.
When I run the shellshock_test.sh on one of my debian 7.0 systems I get a segfault:
~# ./shellshock_test.sh
CVE-2014-6271 (original shellshock): VULNERABLE
./shellshock_test.sh: line 16: 13511 Segmentation fault bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): VULNERABLE
CVE-2014-7169 (taviso bug): VULNERABLE
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
As far as I understood the shell code it is no harm to the proper functioning of the shell shock test but it can be avoided ;)
I modified line 16 to look like this, and the segfault is not shown anymore:
eval CVE20146277=$((bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable) | grep 'vulnerable' | wc -l)
HTH and keep up the good work!
cheers
from shellshocker.
@sock3t nice find
Line 50 poses a segfault also
from shellshocker.
5y old issue. bye.
from shellshocker.
Related Issues (13)
- What about making a "Contributor list" in the about page? HOT 3
- Ubuntu Systems Fix HOT 2
- CVE-2014-7186 is still vulnerable HOT 4
- Syntax error HOT 2
- Mac OS X HOT 6
- How to revert shellshocker? HOT 13
- CVE-2014-6277 is still vulnerable after fixbash HOT 29
- CVE-2014-6277 not detected by shellshock_test.sh ? HOT 5
- discourage piping the output of curl directly into bash HOT 4
- Patching breaks default gateway being applied on Centos 5
- License
- Missing shock HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from shellshocker.