tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Disabling Shellshock test as it gives false positives

This commit is contained in:
mboelen 2015-01-15 22:06:34 +01:00
parent 5caf4ddc4f
commit 44a530719c
1 changed files with 35 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
include/tests_shells
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -229,105 +229,91 @@
logtext "Result: found ${FIND} as a valid shell"
SHELLSHOCK_TMP=`mktemp /tmp/lynis-shellshock-test.XXXXXXXXXX` || exit 1
# CVE-2015-6271
logtext "Test: Check for first exploit (CVE-2015-6271)"
# CVE-2014-6271
logtext "Test: Check for first exploit (CVE-2014-6271)"
echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
logtext "Output: ${VULNERABLE}"
logtext "Result: Vulnerable to original shellshock (CVE-2015-6271)"
Display --indent 2 --text "- Shellshock: CVE-2015-6271 (original shellshocker)" --result "WARNING" --color RED
logtext "Result: Vulnerable to original shellshock (CVE-2014-6271)"
Display --indent 2 --text "- Shellshock: CVE-2014-6271 (original shellshocker)" --result "WARNING" --color RED
FOUND=1
else
logtext "Result: Not vulnerable to original shellshock (CVE-2015-6271)"
#Display --indent 4 --text "- CVE-2015-6271 (original shellshocker)" --result "OK" --color GREEN
logtext "Result: Not vulnerable to original shellshock (CVE-2014-6271)"
#Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "OK" --color GREEN
fi
# CVE-2015-6277
logtext "Test: Check for first exploit (CVE-2015-6277)"
echo "(bash -c \"f() { x() { _;}; x() { _;} <<a; }\" 2>/dev/null || echo vulnerable) | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
logtext "Output: ${VULNERABLE}"
logtext "Result: Vulnerable to original shellshock (CVE-2015-6277). This may not be a security risk, as distributions patched it. Still it shows your bash is vulnerable for crashing."
Display --indent 2 --text "- Shellshock: CVE-2015-6277 (segfault, lcamtuf bug #1)" --result "WARNING" --color RED
# Do not trigger the warning for this particular test. Most distributions did actually patch it to reduce the security risks, while allowing it still to segfault.
#FOUND=1
else
logtext "Result: Not vulnerable to original shellshock (CVE-2015-6277)"
#Display --indent 4 --text "- CVE-2015-6277 (segfault, lcamtuf bug #1)" --result "OK" --color GREEN
fi
# CVE-2014-6277 (disabled, as this test was giving too much false positives)
# CVE-2015-6278
logtext "Test: Check for CVE-2015-6278"
# CVE-2014-6278
logtext "Test: Check for CVE-2014-6278"
echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
logtext "Output: ${VULNERABLE}"
logtext "Result: Vulnerable to CVE-2015-6278"
Display --indent 2 --text "- Shellshock: CVE-2015-6278 (Florian's patch, lcamtuf bug #2)" --result "WARNING" --color RED
logtext "Result: Vulnerable to CVE-2014-6278"
Display --indent 2 --text "- Shellshock: CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "WARNING" --color RED
FOUND=1
else
logtext "Result: Not vulnerable to CVE-2015-6278"
#Display --indent 4 --text "- CVE-2015-6278 (Florian's patch, lcamtuf bug #2)" --result "OK" --color GREEN
logtext "Result: Not vulnerable to CVE-2014-6278"
#Display --indent 4 --text "- CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "OK" --color GREEN
fi
# CVE-2015-7169
logtext "Test: Check for taviso bug CVE-2015-7169"
# CVE-2014-7169
logtext "Test: Check for taviso bug CVE-2014-7169"
echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | grep ' vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
logtext "Output: ${VULNERABLE}"
logtext "Result: Vulnerable to taviso bug (CVE-2015-7169)"
Display --indent 2 --text "- Shellshock: CVE-2015-7169 (taviso bug)" --result "WARNING" --color RED
logtext "Result: Vulnerable to taviso bug (CVE-2014-7169)"
Display --indent 2 --text "- Shellshock: CVE-2014-7169 (taviso bug)" --result "WARNING" --color RED
FOUND=1
else
logtext "Result: Not vulnerable to taviso bug (CVE-2015-7169)"
#Display --indent 4 --text "- CVE-2015-7169 (taviso bug)" --result "OK" --color GREEN
logtext "Result: Not vulnerable to taviso bug (CVE-2014-7169)"
#Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "OK" --color GREEN
fi
# CVE-2015-7186
logtext "Test: Check for CVE-2015-7186"
# CVE-2014-7186
logtext "Test: Check for CVE-2014-7186"
echo "(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
logtext "Output: ${VULNERABLE}"
logtext "Result: Vulnerable to CVE-2015-7186"
Display --indent 2 --text "- Shellshock: CVE-2015-7186 redir_stack bug" --result "WARNING" --color RED
logtext "Result: Vulnerable to CVE-2014-7186"
Display --indent 2 --text "- Shellshock: CVE-2014-7186 redir_stack bug" --result "WARNING" --color RED
FOUND=1
else
logtext "Result: Not vulnerable to CVE-2015-7186"
#Display --indent 4 --text "- CVE-2015-7186 redir_stack bug" --result "OK" --color GREEN
logtext "Result: Not vulnerable to CVE-2014-7186"
#Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "OK" --color GREEN
fi
# CVE-2015-7187
logtext "Test: Check for CVE-2015-7187"
# CVE-2014-7187
logtext "Test: Check for CVE-2014-7187"
echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
logtext "Output: ${VULNERABLE}"
logtext "Result: Vulnerable to CVE-2015-7187"
Display --indent 2 --text "- Shellshock: CVE-2015-7187 nested loops off by one bug" --result "WARNING" --color RED
logtext "Result: Vulnerable to CVE-2014-7187"
Display --indent 2 --text "- Shellshock: CVE-2014-7187 nested loops off by one bug" --result "WARNING" --color RED
FOUND=1
else
logtext "Result: Not vulnerable to CVE-2015-7187"
#Display --indent 4 --text "- CVE-2015-7187 nested loops off by one bug" --result "OK" --color GREEN
logtext "Result: Not vulnerable to CVE-2014-7187"
#Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "OK" --color GREEN
fi
# CVE-2015-////
# CVE-2014-////
logtext "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)"
echo "env X=' () { }; echo hello' bash -c 'date'| grep 'hello'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
logtext "Output: ${VULNERABLE}"
logtext "Result: Vulnerable to CVE-2015-//// (exploit #3 on shellshocker.net)"
logtext "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)"
Display --indent 2 --text "- Shellshock: Exploit #3 on shellshocker.net (no CVE)" --result "WARNING" --color RED
FOUND=1
else