Tech Solvency / The Story So Far / Shellshock (CVE-2014-6271, CVE-2014-7169)


Excellent deep-dive technical analysis and timeline by David Wheeler:
Troy Hunt:


The shellshock/badbash vuln early zero-day exploiting 2014-6271:

Packet Storm vuln summaries by CVE (lists major distro impacts, etc.):

Original news about initial fix being incomplete: [and responses]

2014-10-13: Reverse DNS lookups as an exploitation vector



Michal Zalewski (Google):

2014-09-30: Good CloudFlare blog item

2014-10-02: OpenDNS analysis of scanning activity


Initial patch for incomplete patch:

2014-09-29: Binary patching.

Solar Designer posts binary patch method:
Python method from Antti Louko:

See product-specific section for per-vendor remediation.


Some busybox may be affected:

2014-09-27: Exploitation vectors analysis (some inetd, exim, qmail, procmail, openvpn):

mod_perl,mod_php,mod_python OK, but mod_cgi (and therefore cPanel) vulnerable:

2014-09-26: F5 BIG-IP vulnerable:

2014-10-12: Juniper:

2014-09-30: OpenVPN vulnerable in some configs.

2014-10-02: QNAP NAS vulnerable.

2014-10-02: McAfee Web Gateway and McAfee Email Gateway shellshock fixes announced here:

2014-10-02: Request Tracker (RT 4.2.x) vulnerable

2014-10-03: Citrix NetScaler not directly vuln, but include bash; VPX patch for DHCP issue forthcoming.

2014-10-07: Oracle updates its patches:

Detection and testers

2014-10-03: Really good local checker for all known variants.

My own simple wget script to walk an entire site for shellshock. Not as fast as masscan, but more configurable.

Rules for original vuln:

2014-09-30: Detection in Bro, including Qmail MAIL FROM attack vector. tester (not complete; should spider entire site):

2014-09-29: Shellshocker tester

2014-09-26: SIP scanner:

2014-09-26: Tripwire detector:

Robert Graham's masscan of just the default page by IP (so a lower bound) is here, but actually aborted and he'll be re-running:

Landscape of obvious targets:


Metasploit module for original vuln:

Exploit possibilities walkthrough, including fetching results:

Malicious DHCP server:

2014-10-06: Unconfirmed report that Yahoo and compromised.

2014-10-06: Postfix/procmail exploit

Funniest one-liner so far:
Akihiko Koizuka @koizuka
() { :;}; /usr/bin/eject

2014-09-29: New non-shellshock vulns:

Return to The Story So Far (list of notable security events)