diff options
| author | mboelen <michael@cisofy.com> | 2014-10-06 15:41:55 +0400 |
|---|---|---|
| committer | mboelen <michael@cisofy.com> | 2014-10-06 15:41:55 +0400 |
| commit | 74f7cfec840f59db70ac8360420e39f645491727 (patch) | |
| tree | 2d1a51706a417bb345ca75b17add2b1f964351df /include/tests_shells | |
| parent | ef6de1eddc26306ee2d6b9fb6c831ce15303754e (diff) | |
Added Shellshock test improvements
Diffstat (limited to 'include/tests_shells')
| -rw-r--r-- | include/tests_shells | 338 |
1 files changed, 128 insertions, 210 deletions
diff --git a/include/tests_shells b/include/tests_shells index 0a8463b5..5a0c3d34 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -208,218 +208,136 @@ # ################################################################################# # - # Test : SHLL-6293 + # Test : SHLL-6290 # Description : Check shellshock vulnerability - Register --test-no SHLL-6293 --weight H --network NO --description "Check shellshock vulnerability (CVE-2014-6271)" + Register --test-no SHLL-6290 --weight H --network NO --description "Check shellshock vulnerability (CVE-2014-6271)" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check if bash is in the list of shells." - FIND=`egrep '(/usr)?/bin/bash' /etc/shells` - if [ ! "${FIND}" = "" -a ! -L ${FIND} ]; then - logtext "Result: found ${FIND} as a valid shell" - # CVE-2014-6271 - logtext "Test: Check for first exploit (CVE-2014-6271)" - echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | grep 'vulnerable'" > /tmp/1.tmp - VULNERABLE=`${FIND} /tmp/1.tmp 2>/dev/null` - #echo "${VULNERABLE}" - if [ ! "${VULNERABLE}" = "" ]; then - logtext "Result: Vulnerable to original shellshock (CVE-2014-6271)" - Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "WARNING" --color RED - ReportWarning ${TEST_NO} "H" "Vulnerable to shellshocker! (CVE-2014-6271)" - AddHP 0 5 - else - logtext "Result: Not vulnerable to original shellshock (CVE-2014-6271)" - Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "OK" --color GREEN - AddHP 5 5 - fi - else - Display --indent 2 --text "- Didn't find bash in the list of valid shells." - fi - fi -# -################################################################################# -# - # Test : SHLL-6294 - # Description : Check shellshock vulnerability - Register --test-no SHLL-6294 --weight H --network NO --description "Check shellshock vulnerability (CVE-2014-6277)" - if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check if bash is in the list of shells." - FIND=`egrep '(/usr)?/bin/bash' /etc/shells` - if [ ! "${FIND}" = "" -a ! -L ${FIND} ]; then - logtext "Result: found ${FIND} as a valid shell" - # CVE-2014-6271 - logtext "Test: Check for first exploit (CVE-2014-6277)" - echo "(bash -c \"f() { x() { _;}; x() { _;} <<a; }\" 2>/dev/null || echo vulnerable) | grep 'vulnerable'" > /tmp/2.tmp - VULNERABLE=`${FIND} /tmp/2.tmp 2>/dev/null` - #echo "${VULNERABLE}" - if [ ! "${VULNERABLE}" = "" ]; then - logtext "Result: Vulnerable to original shellshock (CVE-2014-6277)" - Display --indent 4 --text "- CVE-2014-6277 (segafult)" --result "WARNING" --color RED - ReportWarning ${TEST_NO} "H" "Vulnerable to shellshocker! (CVE-2014-6277)" - AddHP 0 5 - else - logtext "Result: Not vulnerable to original shellshock (CVE-2014-6277)" - Display --indent 4 --text "- CVE-2014-6277 (segfault)" --result "OK" --color GREEN - AddHP 5 5 - fi - else - Display --indent 2 --text "- Didn't find bash in the list of valid shells." - fi - fi -# -################################################################################# -# - # Test : SHLL-6295 - # Description : Check shellshock vulnerability - Register --test-no SHLL-6295 --weight H --network NO --description "Check shellshock vulnerability (CVE-2014-6278)" - if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check if bash is in the list of shells." - FIND=`egrep '(/usr)?/bin/bash' /etc/shells` - if [ ! "${FIND}" = "" -a ! -L ${FIND} ]; then - logtext "Result: found ${FIND} as a valid shell" - # CVE-20146278 - logtext "Test: Check for CVE-2014-6278" - echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | grep 'vulnerable'" > /tmp/3.tmp - #echo "${VULNERABLE}" - VULNERABLE=`${FIND} /tmp/3.tmp 2>/dev/null` - if [ ! "${VULNERABLE}" = "" ]; then - logtext "Result: Vulnerable to CVE-2014-6278" - Display --indent 4 --text "- CVE-2014-6278 (Florian's patch)" --result "WARNING" --color RED - ReportWarning ${TEST_NO} "H" "Vulnerable to shellshocker (CVE-2014-6278)" - AddHP 0 5 - else - logtext "Result: Not vulnerable to CVE-2014-6278" - Display --indent 4 --text "- CVE-2014-6278 (Florian's patch)" --result "OK" --color GREEN - AddHP 5 5 - fi - else - Display --indent 2 --text "- Didn't find bash in the list of valid shells." - fi - fi -# -################################################################################# -# - # Test : SHLL-6296 - # Description : Check shellshock vulnerability - Register --test-no SHLL-6296 --weight H --network NO --description "Check shellshock vulnerability (CVE-2014-7169)" - if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check if bash is in the list of shells." - FIND=`egrep '(/usr)?/bin/bash' /etc/shells` - #echo "SSHELLS=${SSHELLS}" - if [ ! "${FIND}" = "" -a ! -L ${FIND} ]; then - logtext "Result: found ${FIND} as a valid shell" - # CVE-2014-7168 - logtext "Test: Check for taviso bug CVE-2014-7169" - echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | grep ' vulnerable'" > /tmp/4.tmp - VULNERABLE=`${FIND} /tmp/4.tmp 2>/dev/null` - #echo "${VULNERABLE}" - if [ ! "${VULNERABLE}" = "" ]; then - logtext "Result: Vulnerable to taviso bug (CVE-2014-7169)" - Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "WARNING" --color RED - ReportWarning ${TEST_NO} "H" "Vulnerable to shellshocker (CVE-2014-7169)" - AddHP 0 5 - else - logtext "Result: Not vulnerable to taviso bug (CVE-2014-7169)" - Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "OK" --color GREEN - AddHP 5 5 - fi - else - Display --indent 2 --text "- Didn't find bash in the list of valid shells." - fi - fi -# -################################################################################# -# - # Test : SHLL-6297 - # Description : Check shellshock vulnerability - Register --test-no SHLL-6297 --weight H --network NO --description "Check shellshock vulnerability (CVE-2014-7186)" - if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check if bash is in the list of shells." - FIND=`egrep '(/usr)?/bin/bash' /etc/shells` - #echo "SSHELLS=${SSHELLS}" - if [ ! "${FIND}" = "" -a ! -L ${FIND} ]; then - logtext "Result: found ${FIND} as a valid shell" - # CVE-2014-7186 - logtext "Test: Check for CVE-2014-7186" - echo "(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null || echo \"vulnerable\") | grep 'vulnerable'" > /tmp/5.tmp - VULNERABLE=`${FIND} /tmp/5.tmp 2>/dev/null` - #echo "$VULNERABLE" - if [ ! "${VULNERABLE}" = "" ]; then - logtext "Result: Vulnerable to CVE-2014-7186" - Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "WARNING" --color RED - ReportWarning ${TEST_NO} "H" "Vulnerable to shellshocker (CVE-2014-7186" - AddHP 0 5 - else - logtext "Result: Not vulnerable to CVE-2014-7186" - Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "OK" --color GREEN - AddHP 5 5 - fi - #set +x - else - Display --indent 2 --text "- Didn't find bash in the list of valid shells." - fi - fi -# -################################################################################# -# - # Test : SHLL-6298 - # Description : Check shellshock vulnerability - Register --test-no SHLL-6298 --weight H --network NO --description "Check shellshock vulnerability (CVE-2014-7187)" - if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check if bash is in the list of shells." - FIND=`egrep '(/usr)?/bin/bash' /etc/shells` - #echo "SSHELLS=${SSHELLS}" - if [ ! "${FIND}" = "" -a ! -L ${FIND} ]; then - logtext "Result: found ${FIND} as a valid shell" - # CVE-2014-7186 - logtext "Test: Check for CVE-2014-7187" - echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | grep 'vulnerable'" > /tmp/6.tmp - VULNERABLE=`${FIND} /tmp/6.tmp 2>/dev/null` - #echo "$VULNERABLE" - if [ ! "${VULNERABLE}" = "" ]; then - logtext "Result: Vulnerable to CVE-2014-7187" - Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "WARNING" --color RED - ReportWarning ${TEST_NO} "H" "Vulnerable to shellshocker (CVE-2014-7187)" - AddHP 0 5 - else - logtext "Result: Not vulnerable to CVE-2014-7187" - Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "OK" --color GREEN - AddHP 5 5 - fi - #set +x - else - Display --indent 2 --text "- Didn't find bash in the list of valid shells." - fi - fi -# -################################################################################# -# - # Test : SHLL-6299 - # Description : Check shellshock vulnerability - Register --test-no SHLL-6299 --weight H --network NO --description "Check shellshock vulnerability (Exploit #3 - shellshocker.net)" - if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check if bash is in the list of shells." - FIND=`egrep '(/usr)?/bin/bash' /etc/shells` - #echo "SSHELLS=${SSHELLS}" - if [ ! "${FIND}" = "" -a ! -L ${FIND} ]; then - logtext "Result: found ${FIND} as a valid shell" - # CVE-2014-//// - logtext "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)" - echo "env X=' () { }; echo hello' bash -c 'date'| grep 'hello'" > /tmp/7.tmp - VULNERABLE=`${FIND} /tmp/7.tmp 2>/dev/null` - if [ "${VULNERABLE}" = "hello" ]; then - logtext "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)" - Display --indent 4 --text "- Exploit #3 on shellshocker.net (no CVE)" --result "WARNING" --color RED - ReportWarning ${TEST_NO} "H" "Vulnerable to shellshocker (Exploit #3 - shellshocker.net)" - AddHP 0 5 - else - logtext "Result: Not vulnerable to exploit #3 on shellshocker.net (no CVE)" - Display --indent 4 --text "- Exploit#3 on shellshocker.net (no CVE)" --result "OK" --color GREEN - AddHP 5 5 - fi - else - Display --indent 2 --text "- Didn't find bash in the list of valid shells." - fi - fi + FOUND=0 + Display --indent 2 --text "- Testing for Shellshock vulnerability" + logtext "Test: Check if bash is in the list of shells." + FIND=`egrep '(/usr)?(/local)?/bin/bash' /etc/shells` + if [ ! "${FIND}" = "" -a ! -L ${FIND} ]; then + logtext "Result: found ${FIND} as a valid shell" + + SHELLSHOCK_TMP=`mktemp /tmp/lynis-shellshock-test.XXXXXXXXXX` || exit 1 + + # CVE-2014-6271 + logtext "Test: Check for first exploit (CVE-2014-6271)" + echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | grep 'vulnerable'" > ${SHELLSHOCK_TMP} + VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + rm -f ${SHELLSHOCK_TMP} + if [ ! "${VULNERABLE}" = "" ]; then + logtext "Output: ${VULNERABLE}" + logtext "Result: Vulnerable to original shellshock (CVE-2014-6271)" + Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "WARNING" --color RED + FOUND=1 + else + logtext "Result: Not vulnerable to original shellshock (CVE-2014-6271)" + Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "OK" --color GREEN + fi + + # CVE-2014-6277 + logtext "Test: Check for first exploit (CVE-2014-6277)" + echo "(bash -c \"f() { x() { _;}; x() { _;} <<a; }\" 2>/dev/null || echo vulnerable) | grep 'vulnerable'" > ${SHELLSHOCK_TMP} + VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + rm -f ${SHELLSHOCK_TMP} + if [ ! "${VULNERABLE}" = "" ]; then + logtext "Output: ${VULNERABLE}" + logtext "Result: Vulnerable to original shellshock (CVE-2014-6277)" + Display --indent 4 --text "- CVE-2014-6277 (segfault, lcamtuf bug #1)" --result "WARNING" --color RED + FOUND=1 + else + logtext "Result: Not vulnerable to original shellshock (CVE-2014-6277)" + Display --indent 4 --text "- CVE-2014-6277 (segfault, lcamtuf bug #1)" --result "OK" --color GREEN + fi + + # CVE-2014-6278 + logtext "Test: Check for CVE-2014-6278" + echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | grep 'vulnerable'" > ${SHELLSHOCK_TMP} + VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + rm -f ${SHELLSHOCK_TMP} + if [ ! "${VULNERABLE}" = "" ]; then + logtext "Output: ${VULNERABLE}" + logtext "Result: Vulnerable to CVE-2014-6278" + Display --indent 4 --text "- CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "WARNING" --color RED + FOUND=1 + else + logtext "Result: Not vulnerable to CVE-2014-6278" + Display --indent 4 --text "- CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "OK" --color GREEN + fi + + # CVE-2014-7169 + logtext "Test: Check for taviso bug CVE-2014-7169" + echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | grep ' vulnerable'" > ${SHELLSHOCK_TMP} + VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + rm -f ${SHELLSHOCK_TMP} + if [ ! "${VULNERABLE}" = "" ]; then + logtext "Output: ${VULNERABLE}" + logtext "Result: Vulnerable to taviso bug (CVE-2014-7169)" + Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "WARNING" --color RED + FOUND=1 + else + logtext "Result: Not vulnerable to taviso bug (CVE-2014-7169)" + Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "OK" --color GREEN + fi + + # CVE-2014-7186 + logtext "Test: Check for CVE-2014-7186" + echo "(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP} + VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + rm -f ${SHELLSHOCK_TMP} + if [ ! "${VULNERABLE}" = "" ]; then + logtext "Output: ${VULNERABLE}" + logtext "Result: Vulnerable to CVE-2014-7186" + Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "WARNING" --color RED + FOUND=1 + else + logtext "Result: Not vulnerable to CVE-2014-7186" + Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "OK" --color GREEN + fi + + # CVE-2014-7187 + logtext "Test: Check for CVE-2014-7187" + echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP} + VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + rm -f ${SHELLSHOCK_TMP} + if [ ! "${VULNERABLE}" = "" ]; then + logtext "Output: ${VULNERABLE}" + logtext "Result: Vulnerable to CVE-2014-7187" + Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "WARNING" --color RED + FOUND=1 + else + logtext "Result: Not vulnerable to CVE-2014-7187" + Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "OK" --color GREEN + fi + + # CVE-2014-//// + logtext "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)" + echo "env X=' () { }; echo hello' bash -c 'date'| grep 'hello'" > ${SHELLSHOCK_TMP} + VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` + rm -f ${SHELLSHOCK_TMP} + if [ ! "${VULNERABLE}" = "" ]; then + logtext "Output: ${VULNERABLE}" + logtext "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)" + Display --indent 4 --text "- Exploit #3 on shellshocker.net (no CVE)" --result "WARNING" --color RED + FOUND=1 + else + logtext "Result: Not vulnerable to exploit #3 on shellshocker.net (no CVE)" + Display --indent 4 --text "- Exploit#3 on shellshocker.net (no CVE)" --result "OK" --color GREEN + fi + + else + logtext "Result: could not find bash in /etc/shells" + Display --indent 4 --text "Result: bash not in the list of valid shells (tests skipped)." + fi + + if [ ${FOUND} -eq 1 ]; then + ReportWarning ${TEST_NO} "H" "System vulnerable to Shellshock (bash)" + AddHP 0 25 + else + AddHP 5 5 + fi + fi # ################################################################################# # |