Our management wants a report of the systems that are vulnerable to the Shellshock bug.
I'm not an experienced scripter, but I want to have the result -> vulnerable | safe to in a variable so I can drop this in a PLIST and use an extension attribute for reporting. This may not be best practice, but this is how it's been requested.
$RESULT='env x='() { :;}; echo vulnerable' bash -c "safe"'; ==> Result to PLIST file
I hope somebody can help me out. Thanks
Just create an extension attribute like this one:
#!/bin/bash
echo "<result>`env x='() { :;}; echo kwetsbaar' bash -c " "`</result>"
exit 0Ja in het Nederlands ;-) kom je morgen naar JNUG Amsterdam? https://jamfnation.jamfsoftware.com/discussion.html?id=10947
I created an extension attribute which reports back your bash version. There will be numerous versions of bash patches so I felt this was the best way of reporting back.
#!/bin/sh
RESULT=$(bash --version | awk {'print $4'} | tr -d "
" | sed -e 's/-.*//g')
echo "<result>$RESULT</result>"
exit 0bash maintains it's own internal variables with version info.
http://tldp.org/LDP/abs/html/internalvariables.html
#!/bin/bash
echo "<result>${BASH_VERSINFO[2]}</result>"ryan@AIR-ML-RMANLY test $ ./test
<result>53</result>
ryan@AIR-ML-RMANLY test $ cat ./test
#!/bin/bash
echo "<result>${BASH_VERSINFO[2]}</result>"
ryan@AIR-ML-RMANLY test $ /bin/bash
ryan@AIR-ML-RMANLY test $ echo $BASH_VERSION
3.2.53(1)-release
ryan@AIR-ML-RMANLY test $ exit
Here's what I'm using- reports on the three big issues: 6271, 7169 and 6278.
# test for CVE-2014-6271 aka original shellshock
r=`x="() { :; }; echo x" bash -c ""`
if [ -n "$r" ]; then
result="Vulnerable to CVE-2014-6271"
else
result="CVE-2014-6271 is patched"
fi
cd /tmp;rm echo 2>/dev/null
# test for CVE-2014-7169
X='() { function a a>' bash -c echo 2>/dev/null > /dev/null
if [ -e echo ]; then
result="${result} Vulnerable to CVE-2014-7169"
else
result="${result} CVE-2014-7169 is patched"
fi
# test for CVE-2014-6278
z=`a="() { echo x;}" bash -c a 2>/dev/null`
if [ -n "$z" ]; then
result="${result} Vulnerable to CVE-2014-6278"
else
result="${result} CVE-2014-6278 is patched"
fi
echo "<result>$result</result>"I am extremely fortunate to have a UNIX guy in my shop, so he was able to assist me with awk & cut to get just the version info from "bash --version", like below...
#!/bin/bash
bashver=`bash --version | awk '/GNU/ {print $4}'| cut -d '(' -f1`
echo "<result>$bashver</result>"
exitHmm. Seems to me that @rmanly's approach is the best if we're talking about just pulling the bash version. I always forget about internal variables, so thanks rmanly for pointing that out!
Here's what I would use to report the full version in an EA:
#!/bin/sh
echo "<result>$(echo $BASH_VERSION | cut -d'(' -f1)</result>"Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.