TL;DR
Shellshock is a serious cyber security vulnerability affecting Bash (the common command interpreter in Linux and macOS). This guide shows you how to find systems potentially vulnerable to remote code execution via Shellshock. We’ll use tools like nmap and online scanners, plus check for patched versions of Bash.
Checking for Vulnerable Systems
- Understand the Risk: Shellshock allows attackers to run commands on your server remotely by exploiting how Bash handles environment variables. This can lead to complete system compromise.
- Nmap Script Scan (Recommended): Nmap is a powerful network scanner. It has scripts specifically designed to detect Shellshock vulnerabilities.
- Install Nmap if you haven’t already:
sudo apt update && sudo apt install nmap(Debian/Ubuntu) orbrew install nmap(macOS). - Run the script against your target network. Replace
192.168.1.0/24with your actual network range:nmap -p 22 --script vuln-shellshock 192.168.1.0/24This scans port 22 (SSH, a common entry point) and checks for the vulnerability.
- Review the output. Nmap will report any vulnerable systems it finds with details about the specific Shellshock variant detected.
- Install Nmap if you haven’t already:
- Online Vulnerability Scanners: Several websites offer online Shellshock scanners. These are quick but less reliable than a local scan.
- Examples include: Pingdom’s Shellshock Test, and various other security assessment sites.
- Be cautious about entering sensitive information into online scanners; only use reputable services.
- Check Bash Version: The vulnerability exists in older versions of Bash. Updating to a patched version is the primary fix.
- Run this command to check your Bash version:
bash --version - Versions 4.3 and earlier are vulnerable. Versions 4.4 and later include fixes, but it’s crucial to ensure all patches have been applied.
- Run this command to check your Bash version:
- Specific Bash Patch Check: Even with version 4.4+, check for specific patches related to Shellshock (CVE-2014-6271, CVE-2014-7169, etc.).
- On Debian/Ubuntu:
apt list --installed bash | grep 4.4Look for specific patch levels in the output.
- On CentOS/RHEL/Fedora:
rpm -qa | grep bashAgain, check for patch versions.
- On Debian/Ubuntu:
- Check Environment Variables: While not a direct detection method, examining environment variables can sometimes reveal suspicious configurations that might indicate an attempted exploit.
- List all environment variables:
env - Look for unusual or unexpected variable names and values. This is more useful after a suspected compromise than as a primary detection method.
- List all environment variables:
Important Considerations
- False Positives: Scanners can sometimes report false positives. Always verify the results manually by checking Bash versions and applying patches.
- Firewall Rules: Ensure your firewall rules restrict access to port 22 (SSH) from untrusted sources.
- Regular Updates: Keep all software, including Bash, up-to-date with the latest security patches. Automated update systems are highly recommended.