The first patch to bash fixed for the initial tests. Here is a test for the initial patched bash that showed another problem...
env X='() { (a)=>' sh -c "echo date"; cat echo
Prints the date if there is trouble.
Debian updated the stable distrib this morning to catch the new exploit.
Unfortunately there seems to be even more trouble coming: http://tinyurl.com/mzvcgbc
If you are running debian stable the default shell is dash which is safe but if you upgraded from an older release in stages (say etch->squeeze->wheezy) you may not be using dash.
ls -l /bin/sh
Check to see where the symlink points to.
to "fix" make sure dash is installed: sudo apt-get install dash then use the /etc/alternatives method to set it as the default: sudo update-alternatives --install /bin/sh sh /bin/dash 1 make sure it's set: sudo update-alternatives --config sh
Hand check this afterwards: ls -l /bin/sh should return: lrwxrwxrwx 1 root root 20 Sep 27 00:15 /bin/sh -> /etc/alternatives/sh ls -l /etc/alternatives/sh should return: lrwxrwxrwx 1 root root 9 Sep 27 00:15 /etc/alternatives/sh -> /bin/dash
To be safe I restarted my apache server and mail system after the change.
Finally check your password file to see if bash is being explictly used: grep bash /etc/passwd
If it is, I suggest you edit your password file so it uses /bin/sh after making the changes above.
If you are on a non-debian system you should search your vendors configuration to see how to change the default shell.
I don't particularily like dash but it's supposed to be safe. If you can't live without the features of bash you can just run it after logging in interactively.
Bob (N0QBJ)
"Brian n1uro@n1uro.ampr.org says:"
(Please trim inclusions from previous messages) _______________________________________________ Robbie;
On Fri, 2014-09-26 at 22:38 +0200, Robbie De Lise wrote:
If you want to see if your system is vulnerable you can run the following commands in a shell:
env X="() { :;} ; echo busted" /bin/sh -c "echo completed" env X="() { :;} ; echo busted" `which bash` -c "echo completed"
Great tool! Thanks for sharing!