DeMISTIfying Infosec: Shellshock

By Katherine Teitler


The Shellshock Bash bug was a remote code execution vulnerability first disclosed on September 24, 2014. A researcher named Stéphane Chazelas initially discovered the bug and contacted Bash's maintainer, Chet Ramey so he could develop a patch. 

Bash, itself, is a Unix shell and command language for Unix operating systems (OS). It is a free software replacement for the earlier Bourne shell. Bash is the default command-line interpreter for Linux and Mac OS X, and is distributed as the shell for the GNU OS. Bash is used in servers and network devices like modems, routers, older embedded devices (think: IoT), and the Apple OS X. It is a text-based user interface which instructs the computer to execute tasks and affects the way processes are run on a computer.

Weaknesses in the original configuration of Bash allowed attackers to remotely execute command lines and scripts, or arbitrary code, to change contents of Web servers, move or delete files, install malware or backdoors, steal data, etc. Because of the weakness, attackers could add malicious code to the environment variable.

Reports of automated botnets executing DDoS proliferated in the days following the disclosure. "A Google search by Ars Technica using advanced search parameters yielded over two billion webpages that at least partially fit the profile for the Shellshock exploit." While the potential for damage was great, most Bash systems were not actually remotely exploitable since an attacker would have needed to send a malicious environment variable.

Security experts compared Shellshock to Heartbleed, a similar open source vulnerability, because of the potential reach. At the time of disclosure, about 25 years' worth of Bash versions were in use across the globe.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.