The correct way to check for vulnerability CVE-2014-7169 (aftershock)

Question

I found two ways of checking for the vulnerability CVE-2014-7169 (aftershock or taviso bug)

bashcheck uses:

cd /tmp;rm echo 2>/dev/null
X='() { function a a>\' bash -c echo 2>/dev/null > /dev/null
if [ -e echo ]; then
    echo -e "\033[91mVulnerable to CVE-2014-7169 (taviso bug)\033[39m"
else
    echo -e "\033[92mNot vulnerable to CVE-2014-7169 (taviso bug)\033[39m"
fi

The other shellshoc.sh is positive:

echo -e "\n\033[1;34m[supposed to be Testing for Vulnerability CVE-2014-7169 too...]\033[0m\n"
sleep 2
echo `env X='() { (a)=>\' sh -c "echo '\033[1;31m[supposed Vulnerability CVE-2014-7169 Detected!]\033[0m'" 2> /dev/null; cat echo 2> /dev/null`

see https://github.com/hannob/bashcheck/issues/6

Which one is the correct check? And if it is the first one, why is the second one positive?

score 0 · Answer 1 · edited Sep 29 '14 at 12:02

0

I found the first one, which probably derived from this redhat post works reliably, while the second-one does not. Even on a vulnerable machine.

I think the author of the second snippet misses the part that taviso's finding cannot be exploited the same way the original bug was. E.g. with tavisos snippet you can create a file, but cannot execute commands (iirc, but ymmv)

edited Sep 29 '14 at 12:02

RoraΖ

12,457
4
52
84

answered Sep 29 '14 at 07:13

that guy from over there

3,494
18
28

The correct way to check for vulnerability CVE-2014-7169 (aftershock)

1 Answers1

Linked