Greetings again Lurkers all,
News is that the "sh" version of the detector has not passed testing and
is broken.
The version to use for the time is the "bash" based version shown here:
<snip>
#!/bin/bash
# 2014-09-25 10:35:11 pflint
#
SOURCE:http://blogs.splunk.com/2014/09/24/finding-shellshock-cve-2014-6271-with-splunk-forwarders/
#
HOSTNAME=$(/bin/hostname)
RUNNING=$(/bin/date)
THECHECK=$(env='() { :;}; echo status=VULNERABLE' bash -c "ls -al
/bin/bash" 2>&1 /dev/null)
if [[ $THECHECK == *VULNERABLE* ]] ; then echo "$RUNNING
hostname=$HOSTNAME cve=2014-6271 status=VULNERABLE"; fi
if [[ $THECHECK != *VULNERABLE* ]] ; then echo "$RUNNING
hostname=$HOSTNAME cve=2014-6271 status=NOTVULNERABLE"; fi
<snap>
Note the spacing is screwed up. See this version on this website:
http://docbox.flint.com:8081/visual.bash#ShellShock
Label is "Working Detect Script"
Kindest Regards,
Paul Flint
(802) 479-2360 Home
(802) 595-9365 Cell
/************************************
Based upon email reliability concerns,
please send an acknowledgement in response to this note.
Paul Flint
17 Averill Street
Barre, VT
05641
