Testing your QNAP or Linux based NAS for shellshock.

I read an article that a universal script is available to test your system for the ShellShock vulnerability.

Many things indicate that more bash vulnerabilities will be found in the future and thus it is important to test for each one every time a patch is released.

Rather than having to run the different code/scripts for each vulnerability, Hanno Böckcreated a universal script that will test for these on each execution. The script is being updated by various contributors to test for the latests vulnerabilities.

It can be found herehttps://github.com/hannob/bashcheck.

With QNAP releasing two updates to patch bash, I wanted a way to be sure that the patch is indeed applied and working. Below is the procedure I followed to execute the script on my NAS.

1. Login to the NAS via an SSH client as admin. I used Putty.
2. Open the script’s github URL, linked above, and click on bashcheck script link.
3. Highlight only the script found in the site and copy it.
4. In the SSH session go to /tmp

   • cd /tmp

5. type the following command to open a text editor and create a file called bashcheck.sh

   • vi bashcheck.sh

   • The below output will be shown in the client
   • 
6. Press “i” to enter INSERT mode.
7. Right click in the black space and the script that was copied earlier, step 3, should be pasted in the window as seen below.
   • 
8. Find line 15 and remove the “-t” switch. It should look like the one below. Failing to do this might result in an error when creating the tmp.XXXXXXXX directory.

   • tmpdir=`mktemp -d tmp.XXXXXXXX`

9. Press the Esc key to exit INSERT mode and type

   • :wq

   • This will exit the editor and save the contents to bashcheck.sh in /tmp
10. The script is saved and needs to be given permission to execute so you need to type the following command:

    • chmod 775 bashcheck.sh

11. Once that is done you need to execute the script by typing

    • ./bashcheck.sh

12. The output should be similar to the below:
    • 

As you can see, the script checks for multiple vulnerabilities. The most important ones are CVE-2014-6271 and CVE-2014-7169. At the time of writing it is considered that having these two patches should prevent other bugs to be exploited via shellshock.

This was performed on a QNAP NAS with an ARM processor (TS-210). I am sure this would work on other brands as long as a linux kernel and bash are installed on it. Some other tweaks might be required.

Please note that I am not a Linux expert. If you are, please leave a comment if something is inaccurate or if you have more to add!