There’s a new internet-crippling zero-day vulnerability in town called Shellshock. It potentially affects around half of all websites on the internet (around 500 million), and millions or billions more internet-connected devices such as routers, smartphones. Unlike Heartbleed, which was quite hard to exploit properly, Shellshock can be exploited with just a couple of lines of code, giving just about anyone the ability to run arbitrary code on an affected computer. In simple terms, this means that it’s now relatively simple for anyone to gain unauthorized access to a large portion of the world’s computers, and download/extract a wide variety of sensitive details. Shellshock also has the potential to be turned into a worm — a self-replicating piece of code that automatically propagates to all Shellshock-vulnerable systems, potentially causing untold damage.
But before we get ahead of ourselves with various doomsday scenarios (and Shellshock really could be one of the worst bugs to ever hit the internet), let’s discuss what Shellshock actually is first.
What is Shellshock?
In technical terms, Shellshock is a vulnerability in a Linux (or *nix) program called Bash, with the formal designation of CVE-2014-6271. In the words of the US government’s NIST agency:
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” (Emphasis added)
In simpler, non-technical terms, Shellshock is a vulnerability in a very popular program — Bash — that is present on almost every Linux-based computer and device in the world. If you’ve ever used the “command line” on a Unix-like system (Linux, Mac OS X, Android) then you were probably typing commands into a Bash shell. This vulnerability, which can be exploited via a number of routes (at least Apache and DHCP), allows an attacker to run code directly on the vulnerable system. It is very, very easy to craft these attacks — it’s basically as simple as writing a few lines of Bash shell script.