mirror of https://github.com/CISOfy/lynis.git
Minor improvements to Shellshock test
This commit is contained in:
mboelen
parent
5439083b4e
commit
525c430d84
|
|
@ -209,8 +209,8 @@
|
|||
#################################################################################
|
||||
#
|
||||
# Test : SHLL-6290
|
||||
# Description : Check shellshock vulnerability
|
||||
Register --test-no SHLL-6290 --weight H --network NO --description "Check shellshock vulnerability (CVE-2014-6271)"
|
||||
# Description : Check for Shellshock vulnerability
|
||||
Register --test-no SHLL-6290 --weight H --network NO --description "Perform Shellshock vulnerability tests"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FOUND=0
|
||||
#Display --indent 2 --text "- Testing for Shellshock vulnerability"
|
||||
|
|
@ -224,117 +224,119 @@
|
|||
fi
|
||||
|
||||
logtext "Result: command revealed ${FIND} as output"
|
||||
if [ ! "${FIND}" = "" -a -x ${FIND} -a ! -L ${FIND} ]; then
|
||||
logtext "Result: found ${FIND} as a valid shell"
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ -x "${FIND}" -a ! -L "${FIND}" ]; then
|
||||
logtext "Result: found ${FIND} as a valid shell"
|
||||
SHELLSHOCK_TMP=`mktemp /tmp/lynis-shellshock-test.XXXXXXXXXX` || exit 1
|
||||
|
||||
SHELLSHOCK_TMP=`mktemp /tmp/lynis-shellshock-test.XXXXXXXXXX` || exit 1
|
||||
# CVE-2014-6271
|
||||
logtext "Test: Check for first exploit (CVE-2014-6271)"
|
||||
echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
|
||||
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
|
||||
rm -f ${SHELLSHOCK_TMP}
|
||||
if [ ! "${VULNERABLE}" = "" ]; then
|
||||
logtext "Output: ${VULNERABLE}"
|
||||
logtext "Result: Vulnerable to original shellshock (CVE-2014-6271)"
|
||||
Display --indent 2 --text "- Shellshock: CVE-2014-6271 (original shellshocker)" --result "WARNING" --color RED
|
||||
FOUND=1
|
||||
else
|
||||
logtext "Result: Not vulnerable to original shellshock (CVE-2014-6271)"
|
||||
#Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "OK" --color GREEN
|
||||
fi
|
||||
|
||||
# CVE-2014-6271
|
||||
logtext "Test: Check for first exploit (CVE-2014-6271)"
|
||||
echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
|
||||
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
|
||||
rm -f ${SHELLSHOCK_TMP}
|
||||
if [ ! "${VULNERABLE}" = "" ]; then
|
||||
logtext "Output: ${VULNERABLE}"
|
||||
logtext "Result: Vulnerable to original shellshock (CVE-2014-6271)"
|
||||
Display --indent 2 --text "- Shellshock: CVE-2014-6271 (original shellshocker)" --result "WARNING" --color RED
|
||||
FOUND=1
|
||||
# CVE-2014-6277
|
||||
logtext "Test: Check for first exploit (CVE-2014-6277)"
|
||||
echo "(bash -c \"f() { x() { _;}; x() { _;} <<a; }\" 2>/dev/null || echo vulnerable) | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
|
||||
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
|
||||
rm -f ${SHELLSHOCK_TMP}
|
||||
if [ ! "${VULNERABLE}" = "" ]; then
|
||||
logtext "Output: ${VULNERABLE}"
|
||||
logtext "Result: Vulnerable to original shellshock (CVE-2014-6277). This may not be a security risk, as distributions patched it. Still it shows your bash is vulnerable for crashing."
|
||||
Display --indent 2 --text "- Shellshock: CVE-2014-6277 (segfault, lcamtuf bug #1)" --result "WARNING" --color RED
|
||||
# Do not trigger the warning for this particular test. Most distributions did actually patch it to reduce the security risks, while allowing it still to segfault.
|
||||
#FOUND=1
|
||||
else
|
||||
logtext "Result: Not vulnerable to original shellshock (CVE-2014-6277)"
|
||||
#Display --indent 4 --text "- CVE-2014-6277 (segfault, lcamtuf bug #1)" --result "OK" --color GREEN
|
||||
fi
|
||||
|
||||
# CVE-2014-6278
|
||||
logtext "Test: Check for CVE-2014-6278"
|
||||
echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
|
||||
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
|
||||
rm -f ${SHELLSHOCK_TMP}
|
||||
if [ ! "${VULNERABLE}" = "" ]; then
|
||||
logtext "Output: ${VULNERABLE}"
|
||||
logtext "Result: Vulnerable to CVE-2014-6278"
|
||||
Display --indent 2 --text "- Shellshock: CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "WARNING" --color RED
|
||||
FOUND=1
|
||||
else
|
||||
logtext "Result: Not vulnerable to CVE-2014-6278"
|
||||
#Display --indent 4 --text "- CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "OK" --color GREEN
|
||||
fi
|
||||
|
||||
# CVE-2014-7169
|
||||
logtext "Test: Check for taviso bug CVE-2014-7169"
|
||||
echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | grep ' vulnerable'" > ${SHELLSHOCK_TMP}
|
||||
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
|
||||
rm -f ${SHELLSHOCK_TMP}
|
||||
if [ ! "${VULNERABLE}" = "" ]; then
|
||||
logtext "Output: ${VULNERABLE}"
|
||||
logtext "Result: Vulnerable to taviso bug (CVE-2014-7169)"
|
||||
Display --indent 2 --text "- Shellshock: CVE-2014-7169 (taviso bug)" --result "WARNING" --color RED
|
||||
FOUND=1
|
||||
else
|
||||
logtext "Result: Not vulnerable to taviso bug (CVE-2014-7169)"
|
||||
#Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "OK" --color GREEN
|
||||
fi
|
||||
|
||||
# CVE-2014-7186
|
||||
logtext "Test: Check for CVE-2014-7186"
|
||||
echo "(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
|
||||
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
|
||||
rm -f ${SHELLSHOCK_TMP}
|
||||
if [ ! "${VULNERABLE}" = "" ]; then
|
||||
logtext "Output: ${VULNERABLE}"
|
||||
logtext "Result: Vulnerable to CVE-2014-7186"
|
||||
Display --indent 2 --text "- Shellshock: CVE-2014-7186 redir_stack bug" --result "WARNING" --color RED
|
||||
FOUND=1
|
||||
else
|
||||
logtext "Result: Not vulnerable to CVE-2014-7186"
|
||||
#Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "OK" --color GREEN
|
||||
fi
|
||||
|
||||
# CVE-2014-7187
|
||||
logtext "Test: Check for CVE-2014-7187"
|
||||
echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
|
||||
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
|
||||
rm -f ${SHELLSHOCK_TMP}
|
||||
if [ ! "${VULNERABLE}" = "" ]; then
|
||||
logtext "Output: ${VULNERABLE}"
|
||||
logtext "Result: Vulnerable to CVE-2014-7187"
|
||||
Display --indent 2 --text "- Shellshock: CVE-2014-7187 nested loops off by one bug" --result "WARNING" --color RED
|
||||
FOUND=1
|
||||
else
|
||||
logtext "Result: Not vulnerable to CVE-2014-7187"
|
||||
#Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "OK" --color GREEN
|
||||
fi
|
||||
|
||||
# CVE-2014-////
|
||||
logtext "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)"
|
||||
echo "env X=' () { }; echo hello' bash -c 'date'| grep 'hello'" > ${SHELLSHOCK_TMP}
|
||||
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
|
||||
rm -f ${SHELLSHOCK_TMP}
|
||||
if [ ! "${VULNERABLE}" = "" ]; then
|
||||
logtext "Output: ${VULNERABLE}"
|
||||
logtext "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)"
|
||||
Display --indent 2 --text "- Shellshock: Exploit #3 on shellshocker.net (no CVE)" --result "WARNING" --color RED
|
||||
FOUND=1
|
||||
else
|
||||
logtext "Result: Not vulnerable to exploit #3 on shellshocker.net (no CVE)"
|
||||
#Display --indent 4 --text "- Exploit#3 on shellshocker.net (no CVE)" --result "OK" --color GREEN
|
||||
fi
|
||||
else
|
||||
logtext "Result: Not vulnerable to original shellshock (CVE-2014-6271)"
|
||||
#Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "OK" --color GREEN
|
||||
logtext "Result: bash binary found, but not executable, or it is symlinked"
|
||||
fi
|
||||
|
||||
# CVE-2014-6277
|
||||
logtext "Test: Check for first exploit (CVE-2014-6277)"
|
||||
echo "(bash -c \"f() { x() { _;}; x() { _;} <<a; }\" 2>/dev/null || echo vulnerable) | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
|
||||
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
|
||||
rm -f ${SHELLSHOCK_TMP}
|
||||
if [ ! "${VULNERABLE}" = "" ]; then
|
||||
logtext "Output: ${VULNERABLE}"
|
||||
logtext "Result: Vulnerable to original shellshock (CVE-2014-6277). This may not be a security risk, as distributions patched it. Still it shows your bash is vulnerable for crashing."
|
||||
Display --indent 2 --text "- Shellshock: CVE-2014-6277 (segfault, lcamtuf bug #1)" --result "WARNING" --color RED
|
||||
# Do not trigger the warning for this particular test. Most distributions did actually patch it to reduce the security risks, while allowing it still to segfault.
|
||||
#FOUND=1
|
||||
else
|
||||
logtext "Result: Not vulnerable to original shellshock (CVE-2014-6277)"
|
||||
#Display --indent 4 --text "- CVE-2014-6277 (segfault, lcamtuf bug #1)" --result "OK" --color GREEN
|
||||
fi
|
||||
|
||||
# CVE-2014-6278
|
||||
logtext "Test: Check for CVE-2014-6278"
|
||||
echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
|
||||
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
|
||||
rm -f ${SHELLSHOCK_TMP}
|
||||
if [ ! "${VULNERABLE}" = "" ]; then
|
||||
logtext "Output: ${VULNERABLE}"
|
||||
logtext "Result: Vulnerable to CVE-2014-6278"
|
||||
Display --indent 2 --text "- Shellshock: CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "WARNING" --color RED
|
||||
FOUND=1
|
||||
else
|
||||
logtext "Result: Not vulnerable to CVE-2014-6278"
|
||||
#Display --indent 4 --text "- CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "OK" --color GREEN
|
||||
fi
|
||||
|
||||
# CVE-2014-7169
|
||||
logtext "Test: Check for taviso bug CVE-2014-7169"
|
||||
echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | grep ' vulnerable'" > ${SHELLSHOCK_TMP}
|
||||
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
|
||||
rm -f ${SHELLSHOCK_TMP}
|
||||
if [ ! "${VULNERABLE}" = "" ]; then
|
||||
logtext "Output: ${VULNERABLE}"
|
||||
logtext "Result: Vulnerable to taviso bug (CVE-2014-7169)"
|
||||
Display --indent 2 --text "- Shellshock: CVE-2014-7169 (taviso bug)" --result "WARNING" --color RED
|
||||
FOUND=1
|
||||
else
|
||||
logtext "Result: Not vulnerable to taviso bug (CVE-2014-7169)"
|
||||
#Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "OK" --color GREEN
|
||||
fi
|
||||
|
||||
# CVE-2014-7186
|
||||
logtext "Test: Check for CVE-2014-7186"
|
||||
echo "(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
|
||||
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
|
||||
rm -f ${SHELLSHOCK_TMP}
|
||||
if [ ! "${VULNERABLE}" = "" ]; then
|
||||
logtext "Output: ${VULNERABLE}"
|
||||
logtext "Result: Vulnerable to CVE-2014-7186"
|
||||
Display --indent 2 --text "- Shellshock: CVE-2014-7186 redir_stack bug" --result "WARNING" --color RED
|
||||
FOUND=1
|
||||
else
|
||||
logtext "Result: Not vulnerable to CVE-2014-7186"
|
||||
#Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "OK" --color GREEN
|
||||
fi
|
||||
|
||||
# CVE-2014-7187
|
||||
logtext "Test: Check for CVE-2014-7187"
|
||||
echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
|
||||
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
|
||||
rm -f ${SHELLSHOCK_TMP}
|
||||
if [ ! "${VULNERABLE}" = "" ]; then
|
||||
logtext "Output: ${VULNERABLE}"
|
||||
logtext "Result: Vulnerable to CVE-2014-7187"
|
||||
Display --indent 2 --text "- Shellshock: CVE-2014-7187 nested loops off by one bug" --result "WARNING" --color RED
|
||||
FOUND=1
|
||||
else
|
||||
logtext "Result: Not vulnerable to CVE-2014-7187"
|
||||
#Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "OK" --color GREEN
|
||||
fi
|
||||
|
||||
# CVE-2014-////
|
||||
logtext "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)"
|
||||
echo "env X=' () { }; echo hello' bash -c 'date'| grep 'hello'" > ${SHELLSHOCK_TMP}
|
||||
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
|
||||
rm -f ${SHELLSHOCK_TMP}
|
||||
if [ ! "${VULNERABLE}" = "" ]; then
|
||||
logtext "Output: ${VULNERABLE}"
|
||||
logtext "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)"
|
||||
Display --indent 2 --text "- Shellshock: Exploit #3 on shellshocker.net (no CVE)" --result "WARNING" --color RED
|
||||
FOUND=1
|
||||
else
|
||||
logtext "Result: Not vulnerable to exploit #3 on shellshocker.net (no CVE)"
|
||||
#Display --indent 4 --text "- Exploit#3 on shellshocker.net (no CVE)" --result "OK" --color GREEN
|
||||
fi
|
||||
|
||||
else
|
||||
logtext "Result: could not find bash to be a valid shell"
|
||||
fi
|
||||
|
|
@ -357,4 +359,4 @@ wait_for_keypress
|
|||
|
||||
#
|
||||
#================================================================================
|
||||
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
|
||||
# Lynis - Copyright 2007-2014, CISOfy & Michael Boelen - http://cisofy.com - The Netherlands
|
||||
|
|
|
|||
Loading…
Reference in New Issue