Q & A

This simple command is a sufficient test to see if your version of bash is vulnerable:

x='() { :;}; echo VULNERABLE' bash -c :

It’s not necessary to have extra text printed to signify that the command has actually run, because patched versions of bash will report a warning when a variable in its starting environment contains exploit code for the patched vulnerability.

On a vulnerable system:

$ x='() { :;}; echo VULNERABLE' bash -c :
 VULNERABLE

On a patched system:

$ x='() { :;}; echo VULNERABLE' bash -c :
 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'