From 525c430d84b781086180b5498e668f558735838c Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 4 Nov 2014 01:34:14 +0100 Subject: [PATCH] Minor improvements to Shellshock test --- include/tests_shells | 222 ++++++++++++++++++++++--------------------- 1 file changed, 112 insertions(+), 110 deletions(-) diff --git a/include/tests_shells b/include/tests_shells index 5d0fa442..bf0b7f71 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -209,8 +209,8 @@ ################################################################################# # # Test : SHLL-6290 - # Description : Check shellshock vulnerability - Register --test-no SHLL-6290 --weight H --network NO --description "Check shellshock vulnerability (CVE-2014-6271)" + # Description : Check for Shellshock vulnerability + Register --test-no SHLL-6290 --weight H --network NO --description "Perform Shellshock vulnerability tests" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 #Display --indent 2 --text "- Testing for Shellshock vulnerability" @@ -224,117 +224,119 @@ fi logtext "Result: command revealed ${FIND} as output" - if [ ! "${FIND}" = "" -a -x ${FIND} -a ! -L ${FIND} ]; then - logtext "Result: found ${FIND} as a valid shell" + if [ ! "${FIND}" = "" ]; then + if [ -x "${FIND}" -a ! -L "${FIND}" ]; then + logtext "Result: found ${FIND} as a valid shell" + SHELLSHOCK_TMP=`mktemp /tmp/lynis-shellshock-test.XXXXXXXXXX` || exit 1 - SHELLSHOCK_TMP=`mktemp /tmp/lynis-shellshock-test.XXXXXXXXXX` || exit 1 + # CVE-2014-6271 + logtext "Test: Check for first exploit (CVE-2014-6271)" + echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | grep 'vulnerable'" > ${SHELLSHOCK_TMP} + VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + rm -f ${SHELLSHOCK_TMP} + if [ ! "${VULNERABLE}" = "" ]; then + logtext "Output: ${VULNERABLE}" + logtext "Result: Vulnerable to original shellshock (CVE-2014-6271)" + Display --indent 2 --text "- Shellshock: CVE-2014-6271 (original shellshocker)" --result "WARNING" --color RED + FOUND=1 + else + logtext "Result: Not vulnerable to original shellshock (CVE-2014-6271)" + #Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "OK" --color GREEN + fi - # CVE-2014-6271 - logtext "Test: Check for first exploit (CVE-2014-6271)" - echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | grep 'vulnerable'" > ${SHELLSHOCK_TMP} - VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` - rm -f ${SHELLSHOCK_TMP} - if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to original shellshock (CVE-2014-6271)" - Display --indent 2 --text "- Shellshock: CVE-2014-6271 (original shellshocker)" --result "WARNING" --color RED - FOUND=1 + # CVE-2014-6277 + logtext "Test: Check for first exploit (CVE-2014-6277)" + echo "(bash -c \"f() { x() { _;}; x() { _;} </dev/null || echo vulnerable) | grep 'vulnerable'" > ${SHELLSHOCK_TMP} + VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + rm -f ${SHELLSHOCK_TMP} + if [ ! "${VULNERABLE}" = "" ]; then + logtext "Output: ${VULNERABLE}" + logtext "Result: Vulnerable to original shellshock (CVE-2014-6277). This may not be a security risk, as distributions patched it. Still it shows your bash is vulnerable for crashing." + Display --indent 2 --text "- Shellshock: CVE-2014-6277 (segfault, lcamtuf bug #1)" --result "WARNING" --color RED + # Do not trigger the warning for this particular test. Most distributions did actually patch it to reduce the security risks, while allowing it still to segfault. + #FOUND=1 + else + logtext "Result: Not vulnerable to original shellshock (CVE-2014-6277)" + #Display --indent 4 --text "- CVE-2014-6277 (segfault, lcamtuf bug #1)" --result "OK" --color GREEN + fi + + # CVE-2014-6278 + logtext "Test: Check for CVE-2014-6278" + echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | grep 'vulnerable'" > ${SHELLSHOCK_TMP} + VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + rm -f ${SHELLSHOCK_TMP} + if [ ! "${VULNERABLE}" = "" ]; then + logtext "Output: ${VULNERABLE}" + logtext "Result: Vulnerable to CVE-2014-6278" + Display --indent 2 --text "- Shellshock: CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "WARNING" --color RED + FOUND=1 + else + logtext "Result: Not vulnerable to CVE-2014-6278" + #Display --indent 4 --text "- CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "OK" --color GREEN + fi + + # CVE-2014-7169 + logtext "Test: Check for taviso bug CVE-2014-7169" + echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | grep ' vulnerable'" > ${SHELLSHOCK_TMP} + VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + rm -f ${SHELLSHOCK_TMP} + if [ ! "${VULNERABLE}" = "" ]; then + logtext "Output: ${VULNERABLE}" + logtext "Result: Vulnerable to taviso bug (CVE-2014-7169)" + Display --indent 2 --text "- Shellshock: CVE-2014-7169 (taviso bug)" --result "WARNING" --color RED + FOUND=1 + else + logtext "Result: Not vulnerable to taviso bug (CVE-2014-7169)" + #Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "OK" --color GREEN + fi + + # CVE-2014-7186 + logtext "Test: Check for CVE-2014-7186" + echo "(bash -c 'true </dev/null || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP} + VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + rm -f ${SHELLSHOCK_TMP} + if [ ! "${VULNERABLE}" = "" ]; then + logtext "Output: ${VULNERABLE}" + logtext "Result: Vulnerable to CVE-2014-7186" + Display --indent 2 --text "- Shellshock: CVE-2014-7186 redir_stack bug" --result "WARNING" --color RED + FOUND=1 + else + logtext "Result: Not vulnerable to CVE-2014-7186" + #Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "OK" --color GREEN + fi + + # CVE-2014-7187 + logtext "Test: Check for CVE-2014-7187" + echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP} + VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + rm -f ${SHELLSHOCK_TMP} + if [ ! "${VULNERABLE}" = "" ]; then + logtext "Output: ${VULNERABLE}" + logtext "Result: Vulnerable to CVE-2014-7187" + Display --indent 2 --text "- Shellshock: CVE-2014-7187 nested loops off by one bug" --result "WARNING" --color RED + FOUND=1 + else + logtext "Result: Not vulnerable to CVE-2014-7187" + #Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "OK" --color GREEN + fi + + # CVE-2014-//// + logtext "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)" + echo "env X=' () { }; echo hello' bash -c 'date'| grep 'hello'" > ${SHELLSHOCK_TMP} + VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + rm -f ${SHELLSHOCK_TMP} + if [ ! "${VULNERABLE}" = "" ]; then + logtext "Output: ${VULNERABLE}" + logtext "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)" + Display --indent 2 --text "- Shellshock: Exploit #3 on shellshocker.net (no CVE)" --result "WARNING" --color RED + FOUND=1 + else + logtext "Result: Not vulnerable to exploit #3 on shellshocker.net (no CVE)" + #Display --indent 4 --text "- Exploit#3 on shellshocker.net (no CVE)" --result "OK" --color GREEN + fi else - logtext "Result: Not vulnerable to original shellshock (CVE-2014-6271)" - #Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "OK" --color GREEN + logtext "Result: bash binary found, but not executable, or it is symlinked" fi - - # CVE-2014-6277 - logtext "Test: Check for first exploit (CVE-2014-6277)" - echo "(bash -c \"f() { x() { _;}; x() { _;} </dev/null || echo vulnerable) | grep 'vulnerable'" > ${SHELLSHOCK_TMP} - VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` - rm -f ${SHELLSHOCK_TMP} - if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to original shellshock (CVE-2014-6277). This may not be a security risk, as distributions patched it. Still it shows your bash is vulnerable for crashing." - Display --indent 2 --text "- Shellshock: CVE-2014-6277 (segfault, lcamtuf bug #1)" --result "WARNING" --color RED - # Do not trigger the warning for this particular test. Most distributions did actually patch it to reduce the security risks, while allowing it still to segfault. - #FOUND=1 - else - logtext "Result: Not vulnerable to original shellshock (CVE-2014-6277)" - #Display --indent 4 --text "- CVE-2014-6277 (segfault, lcamtuf bug #1)" --result "OK" --color GREEN - fi - - # CVE-2014-6278 - logtext "Test: Check for CVE-2014-6278" - echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | grep 'vulnerable'" > ${SHELLSHOCK_TMP} - VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` - rm -f ${SHELLSHOCK_TMP} - if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to CVE-2014-6278" - Display --indent 2 --text "- Shellshock: CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "WARNING" --color RED - FOUND=1 - else - logtext "Result: Not vulnerable to CVE-2014-6278" - #Display --indent 4 --text "- CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "OK" --color GREEN - fi - - # CVE-2014-7169 - logtext "Test: Check for taviso bug CVE-2014-7169" - echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | grep ' vulnerable'" > ${SHELLSHOCK_TMP} - VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` - rm -f ${SHELLSHOCK_TMP} - if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to taviso bug (CVE-2014-7169)" - Display --indent 2 --text "- Shellshock: CVE-2014-7169 (taviso bug)" --result "WARNING" --color RED - FOUND=1 - else - logtext "Result: Not vulnerable to taviso bug (CVE-2014-7169)" - #Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "OK" --color GREEN - fi - - # CVE-2014-7186 - logtext "Test: Check for CVE-2014-7186" - echo "(bash -c 'true </dev/null || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP} - VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` - rm -f ${SHELLSHOCK_TMP} - if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to CVE-2014-7186" - Display --indent 2 --text "- Shellshock: CVE-2014-7186 redir_stack bug" --result "WARNING" --color RED - FOUND=1 - else - logtext "Result: Not vulnerable to CVE-2014-7186" - #Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "OK" --color GREEN - fi - - # CVE-2014-7187 - logtext "Test: Check for CVE-2014-7187" - echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP} - VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` - rm -f ${SHELLSHOCK_TMP} - if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to CVE-2014-7187" - Display --indent 2 --text "- Shellshock: CVE-2014-7187 nested loops off by one bug" --result "WARNING" --color RED - FOUND=1 - else - logtext "Result: Not vulnerable to CVE-2014-7187" - #Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "OK" --color GREEN - fi - - # CVE-2014-//// - logtext "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)" - echo "env X=' () { }; echo hello' bash -c 'date'| grep 'hello'" > ${SHELLSHOCK_TMP} - VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` - rm -f ${SHELLSHOCK_TMP} - if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)" - Display --indent 2 --text "- Shellshock: Exploit #3 on shellshocker.net (no CVE)" --result "WARNING" --color RED - FOUND=1 - else - logtext "Result: Not vulnerable to exploit #3 on shellshocker.net (no CVE)" - #Display --indent 4 --text "- Exploit#3 on shellshocker.net (no CVE)" --result "OK" --color GREEN - fi - else logtext "Result: could not find bash to be a valid shell" fi @@ -357,4 +359,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2014, CISOfy & Michael Boelen - http://cisofy.com - The Netherlands