A quick Shellshock test on my MBP

If you’ve not read about Shellshock yet today, you probably should. For most people it’ll mean little in reality and the net impact will be an urgent security update, assuming they’re on OS X or Linux. Of course a different question is how overblown the press will make reports of Shellshock, given the panic they spread around Heartbleed earlier in the year!? You can always tell how good a job they’ve done at worrying people when friends and family phone you up and start with the phrase “you’re a geek … should I be worried about <insert technology issue>”.

Of course it is always concerning when a vulnerability is as long historically long lived and widespread as Shellshock seems it could be. Obvious things will be patched quickly, but there’ll be those old systems sat in the background that never will be. However, despite all the doom and gloom that will be spread about it “taking over entire websites”, the typical question of how a hacker is going to get to remotely execute said vulnerability-exploiting bash script in the first place remains!?

Starting with the most obvious, a quick check on my MBP running OSX 10.8.5 shows that it is indeed vulnerable.

bash --version
GNU bash, version 3.2.48(1)-release (x86_64-apple-darwin12)
Copyright (C) 2007 Free Software Foundation, Inc.

And executing a standard test example …

env x='() { :;}; echo vulnerable' bash -c 'echo to me stealing all your money'
vulnerable
to me stealing all your money

However, probably more importantly SSHing into my router running DD-WRT shows that it’s not got bash enabled.

Will be interesting to see how this one develops and whether I’ll get any phone calls!?