***: vissborg has joined #arpnetworks
LT has joined #arpnetworks
DaCa_ is now known as DaCa
zhangxiaobao has joined #arpnetworks
zhangxiaobao has quit IRC (Remote host closed the connection)
medum has quit IRC (Quit: Lost terminal)
LT has quit IRC (Quit: Leaving)
medum has joined #arpnetworks mnathani: is there a shell based utility to test bash vulnerability of remote web servers? m0unds: there's a command you can run to test it
well, a number of them i guess
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
that's one brycec: mnathani: Since it varies by path (eg, I can't just open :443 and throw packets at it), to my knowledge no such utility is really useful
mnathani: But you can throw it in a curl pretty easily, since that's all it takes
something like curl -A "env x='() { :;}; echo vulnerable' bash -c "echo this is a test"" http://server/insecure.cgi
throw that into a loop even
up_the_irons: *bump* ticket (not that it's urgent, but want to make sure you've seen it)
(yes I got the autoresponder, so I know it's been received) m0unds: oh, i misinterpreted it - just assumed remote webservers meant boxes in your control with shell access mercutio: env X="() { :;} ; echo shellshock" `which bash` -c "echo completed"
this is what i use to test it
if it says shellshock it's vulnerable
oh that's basically the same as what you said brycec: Almost verbatim :P mercutio: but basically all bash instances are vulnerable.
testing on server is good enough
don't need to test remote vulnerable
update bash on *all* systems brycec: I think the scenario is that mnathani wants to be able to tell Google (for example) their server needs updating, hence the "of remote web servers" mercutio: oh right brycec: Where "Google" is probably replaced by acquaintences, clients, sales prospects, etc mercutio: that's probably illegal
here
i dunno what it's like there. brycec: Grey area, as all pen-testing tends to be without documents