If you thought Heart Bleed was bad, at least it could be patched. How many devices have bash embedded on them that cannot be patched?
http://www.theregister.co.uk/2014/09/25/shell_shocked_not_yet/
Quick way to test run this
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Basically, within a statement setting an environment var, declare a function and trail it with a command. The vuln is that the command will be executed
If your shell echoes the word "vulnerable", it is at risk.
If you get an error (see below), then you should be safe
GOOD:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
BAD:
vulnerable
this is a test
http://www.theregister.co.uk/2014/09/25/shell_shocked_not_yet/
Quick way to test run this
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Basically, within a statement setting an environment var, declare a function and trail it with a command. The vuln is that the command will be executed
If your shell echoes the word "vulnerable", it is at risk.
If you get an error (see below), then you should be safe
GOOD:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
BAD:
vulnerable
this is a test