Monday, October 13, 2014

the shocker

sure... we have centralized everything. what we sysadmins do have are pubkeys all over the place. so how do we figure out how much of a pain patching for the many shellshock and aftershock systems that are on our networks? well crap. first is enumerate. yank the dns zone files, clean them up and feed them into:
datestamp=$(date +"%m-%d-%Y")
  for ip_addr in $(cat strippedzonefile) ; do   
  ping -q -c 1 $ip_addr &&   
  bash -c "   
   echo \" *** $ip_addr *** \" >> output ;   
   scp -B root@$ip_addr:/root/ >> output ;   
   ssh -v -o ConnectTimeout=1 -o BatchMode=yes -o ConnectionAttempts=1 \  
      -o PasswordAuthentication=no root@$ip_addr \  
       /bin/bash -c /root/ >> output ;   
   echo \"done\"   
cat output | mail -s "shellshock and aftershock report $datestamp" you@somewhere
which scp's and executes
 SHELLSHOCK=`env x='() { :;}; echo true' /bin/bash -c "" 2>/dev/null`  
 AFTERSHOCK=`env var='() {(a)=>\' /bin/bash -c "echo date | grep -v date" 2>/dev$`  
 if [ -n "$SHELLSHOCK" ]  
 echo "cve-2014-6271 vulnerability detected - shellshock";  
 echo "cve-2014-6271 not detected - shellshock"  
 if [ -n "$AFTERSHOCK" ]  
 echo "cve-2014-7169 vulnerability detected - aftershock";  
 echo "cve-2014-7169 not detected - aftershock"  
which outputs to output:
*** ***
cve-2014-6271 vulnerability detected - shellshock
cve-2014-7169 vulnerability detected - aftershock
 *** ***
 *** ***
you get the picture.
Post a Comment