Trouble with quoting a shellshock test

[Mark Casey]

I'm trying to write an Ansible task to check for both CVE-2014-6271 and CVE-2014-7169 as I haven't been able to find one pre-made.

This command should check both but for the life of me I can't get the escaped single quote past the parser... I've tried some variants of "shell: >" and "shell: |" but no dice.

- name: Check for shellshock fix (checks for both CVE-2014-6271 and CVE-2014-7169)
  shell: cd /tmp && rm -f /tmp/echo && env 'x=() { :;}; echo vulnerable' 'f=() { (a)=>\' bash -c 'echo echo vulnerable'; cat echo
  args:
    executable: /bin/bash
  sudo: no
  register: shellshock_result2
  changed_when: False
  failed_when: "'vulnerable' in shellshock_result2.stderr"

This version gives:

ERROR: There was an error while parsing the task "shell cd /tmp && rm -f /tmp/echo && env 'x=() { :;}; echo vulnerable' 'f=() { (a)=>\\' bash -c 'echo echo vulnerable'; cat echo".
Make sure quotes are matched or escaped properly

I'm assuming the issue is that, if I understand correctly, the second exploit partly depends on the mismatched quote arriving unharmed(?) and YAML thinks that is bad(?).

Anyone have any ideas or should I just copy it over as a script and run that?

Thank you,
Mark

[Mark Casey]

Oh... the official source of the commands was: https://access.redhat.com/articles/1200223, but someone was nice enough to combine them in: https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c47

[Igor Homyakov]

Hi Mark,

I think this is not a good idea to use one liner such that. There are
many players except bash interpreter, yaml parser, python string
quotation and so forth. I would recommend you to you use a bash script
in this case

I've made a simple role, it is based and code samples you provided I
hope you will find it useful
https://github.com/hostmaster/check_shellshock

-- Best, Igor

> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/c40d456b-8d1b-40f4-b0a5-95ce4cebe359%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.

[Michael DeHaan]

I'm a big fan of the "script" module when you need to push and run a tiny shell script.

http://docs.ansible.com/script_module.html

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAGuansqODOOhR_u84L%3DKwU1Voc30HXBVGD6BuDxAfkt5uwa%3D8Q%40mail.gmail.com.

[Igor Homyakov]

Absolutely it fitted perfectly

-- Best, Igor

27 сент. 2014 г. 18:18 пользователь "Michael DeHaan" <mic...@ansible.com> написал:

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgxAE19OMPFCvWim%3DP5jv%2BFOjhEbrBpt3_Oo3vkr_P6XEw%40mail.gmail.com.

[Mark Casey]

Thanks to both for the suggestions.

Mark

[Igor Homyakov]

Have a look a the script
https://github.com/hannob/bashcheck/blob/master/bashcheck
it seems to me it covers all know shelshock CVE

> https://groups.google.com/d/msgid/ansible-project/fcdc5f47-98f6-49c3-a57a-80e69b358176%40googlegroups.com.