2

I am interested in testing for shellshock vulnerable machines that I don't have shell access to on my LAN's and WAN's such as IPMI cards and Internet of Things devices. What is the best way to remotely verify the vulnerability on machines? Does anybody have a simple shell script that can be run?

I want to avoid using any websites that do this test as they may actually take advantage of the information gained by running the tests on vulnerable machines.

Timothy C. Quinn
  • 489
  • 4
  • 17
  • Hmm... is it possible to test something remotely on the internet, without shell server, http server, telnet server, or any other kind of socket listening? – Adionditsak Sep 25 '14 at 18:31
  • There are many black box devices out there with web services but no shell. These types of devices are listening for some services. An example are IPMI cards. – Timothy C. Quinn Sep 25 '14 at 18:40
  • Maybe worth trying? Uses masscan, but you can select the IP ranges. http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html *Note:* I haven't tried that myself. – Sebastian Sep 25 '14 at 18:43
  • Shellshock isn't directly remotely exploitable or testable. You need to be running a service which exposes something that triggers bash. Testing for it will depend on what kind of services the machine provides. Embedded systems rarely have bash in the first place anyway. – Gilles 'SO- stop being evil' Sep 26 '14 at 00:16
  • True. Busybox or other monolithic *nix toolkits are not susceptible to this particular venerability and most embeded systems will use such a system. I'm feeling guilty now for cursing busybox so much previously. – Timothy C. Quinn Sep 26 '14 at 03:53
  • @Anthon - If I re-worded to cover just cgi based exploits using *nix shell script to test, would that help to constrain the request? – Timothy C. Quinn Sep 26 '14 at 13:46
  • @JavaScriptDude The problem is that even the setup of cgi based calls that might end up calling `bash` has an infinite amount of possibilities. That is nothing you can write a generic program for. Even if bash is called, there is no guarantee that it is exploitable, just that it might be. So question about auto-testability will stay too broad, however nice it would be to have such a feature. – Anthon Sep 26 '14 at 14:03
  • @JavaScriptDude On the other hand, I am only one of the reviewers and others might feel different. You can also consider asking on meta, if it is possible, and what you would need to do, to get your question in acceptable shape. – Anthon Sep 26 '14 at 14:10

0 Answers0