Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

is it working? #5

Closed
alanthehat opened this issue Mar 9, 2015 · 9 comments
Closed

is it working? #5

alanthehat opened this issue Mar 9, 2015 · 9 comments

Comments

@alanthehat
Copy link

I have just installed this fully patched binary & your app is telling me that it's still vulnerable

http://forum.xda-developers.com/showpost.php?p=55884202&postcount=1
@alanthehat
Copy link
Author

This script says it's clean
https://github.com/hannob/bashcheck

@srguglielmo
Copy link

I can confirm this. The hannob/bashcheck script says I am not vulnerable. However, this app says I am.

I installed this app from F-Droid.

I am using CyanogenMod 12.1-20150909-NIGHTLY. Bash version 4.3.33(1)-release

I also tested my phone with the shellshock testing script from https://shellshocker.net, which said I was NOT vulnerable as well.

@uniqdom
Copy link

uniqdom commented Dec 6, 2016

I can confirm this. Hannob/bashcheck script says that cm-14.1-20161206-NIGHTLY is clean, but this app says that is vulnerable, exactly as @srguglielmo says.

Bash Version? GNU bash, version 4.3.42(1)-release (arm-android-eabi)

Shellshock-Vulnerability-Scan screenshot: https://s21.postimg.org/m0cfqkh9j/Screenshot_20161124_101433.png
Hannob/bashcheck screenshot: https://s16.postimg.org/qfhfykwr9/Screenshot_20161206_091245.png

@indiandragon
Copy link
Owner

Hi guys, I will check the code when I get some free time. Feel free to review and give me a PR if you were able to locate the issue.
Btw, the code is very simple.

@alexxcons
Copy link

I have even 2 false positives here.
1x bash v.4.3.42(1) on a i9506 - lineageos 14.1(android7.1.1) custom rom from xsd-developers
1x bash v.4.3.30(1) on a i9001 - cyanogenmod11(android4.4.4) custom rom from xsd-developers
cross-checked with com.trustlook.bashscanner

@alexxcons
Copy link

alexxcons commented Feb 1, 2017
edited

Feel free to review and give me a PR if you were able to locate the issue.

String[] command = {"env","X=\"() { :;} ; echo busted\"","bash","-c","bash -version"};
From what I know, you cannot use the same type of quotes 2x in one statement. You at least need to use a different type of quote.
I as well worked with ProcessBuilder to execute a command in linux ... and I have to say that it is a fucking bitch ;F
You at least need to check the ErrorStream to see if things worked well, or if you received rubbish. Here how I did it on some project I have to work on:
https://sourceforge.net/p/silecs-eclipse-plugin/code/ci/gsi-neon-1.2.3/tree/silecs-eclipse-plugin/src/java/cern/silecs/utils/OSExecute.java#l66
You can just copy + paste the 2 methods "executeCommand" and use them ( just use "Exception" instead of "SilecsException"). Check "executePython" to see how to build a multi-line command and how to deal with double-quotes.

I would suggest to remove your current app from playstore and fdroid, until you fixed it!
It scared me to hell for long time that my device is vulnerable, until I checked in detail / with other methods.

@arch-user-france1
Copy link

I think this app is still on the playstore

@arch-user-france1
Copy link

Or F-droid

@indiandragon
Copy link
Owner

I have unpublished the app, I apologize for the delay in doing so.

I assumed the app had been removed automatically due to the lack of development or at least that people wouldn't be searching for it still.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@uniqdom @indiandragon @alexxcons @alanthehat @srguglielmo @arch-user-france1