[00:15] *** vissborg has quit IRC (Remote host closed the connection)
[00:18] *** vissborg has joined #arpnetworks
[01:21] *** LT has joined #arpnetworks
[02:44] *** DaCa_ is now known as DaCa
[04:45] *** zhangxiaobao has joined #arpnetworks
[05:52] *** zhangxiaobao has quit IRC (Remote host closed the connection)
[06:29] *** medum has quit IRC (Quit: Lost terminal)
[08:58] *** LT has quit IRC (Quit: Leaving)
[15:45] *** medum has joined #arpnetworks
[20:42] <mnathani> is there a shell based utility to test bash vulnerability of remote web servers?
[21:28] <m0unds> there's a command you can run to test it
[21:29] <m0unds> well, a number of them i guess
[21:29] <m0unds> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
[21:29] <m0unds> that's one
[22:01] <brycec> mnathani: Since it varies by path (eg, I can't just open :443 and throw packets at it), to my knowledge no such utility is really useful
[22:01] <brycec> mnathani: But you can throw it in a curl pretty easily, since that's all it takes
[22:02] <brycec> something like curl -A "env x='() { :;}; echo vulnerable' bash -c \"echo this is a test\"" http://server/insecure.cgi
[22:02] <brycec> throw that into a loop even
[22:03] <brycec> up_the_irons: *bump* ticket (not that it's urgent, but want to make sure you've seen it)
[22:03] <brycec> (yes I got the autoresponder, so I know it's been received)
[22:09] <m0unds> oh, i misinterpreted it - just assumed remote webservers meant boxes in your control with shell access
[22:14] <mercutio>  env X="() { :;} ; echo shellshock" `which bash` -c "echo completed"
[22:14] <mercutio> this is what i use to test it
[22:14] <mercutio> if it says shellshock it's vulnerable
[22:14] <mercutio> oh that's basically the same as what you said
[22:15] <brycec> Almost verbatim :P
[22:15] <mercutio> but basically all bash instances are vulnerable.
[22:15] <mercutio> testing on server is good enough
[22:15] <mercutio> don't need to test remote vulnerable
[22:15] <mercutio> update bash on *all* systems
[22:15] <brycec> I think the scenario is that mnathani wants to be able to tell Google (for example) their server needs updating, hence the "of remote web servers"
[22:16] <mercutio> oh right
[22:16] <brycec> Where "Google" is probably replaced by acquaintences, clients, sales prospects, etc
[22:16] <mercutio> that's probably illegal
[22:16] <mercutio> here
[22:16] <mercutio> i dunno what it's like there.
[22:16] <brycec> Grey area, as all pen-testing tends to be without documents