Professor outlines that Shellshock is not as much of a risk than Heartbleed


News image


Prof Bill Buchanan has outlined the Shellshock flaw in his blog.

The text is here:

After years of Microsoft Windows vulnerabilities, we find that the new place for vulnerabilities has moved to discovering sloppy programming in Java, Abode Flash, and Adobe Reader,  and now Linux. The targets this time is not desktops, but Linux servers using Bash (GNU Bourne Again Shell), which is the command line interpreter used in many Linux based systems, including Apple OS X. The most significant recent vulnerability was Heartbleed (CVE-2014-016), which allowed an intruder to send a heartbeat request within secure communications with a Web server (using HTTPS), and for the server to return back the contents of the running memory on the server. This revealed things such as usernames, passwords and encryption keys. While a serious problem, Shellshock in no way as serious as Heartbleed, which had the potential to crack open most of the secure communications on the Internet, and provide a large-scale method to reveal secret information.

Whenever a new vulnerability is discovered it is assigned a CVE number, which is CVE-2014-6271 for Shellshock. Once announced there were new patches roll-out , but these still do not seem to fix all the problems, including with a secondary problem: CVE-2014-7169 (which is a less severe problem). Administrators of Linux systems, though, are advised to patch their systems, and not wait for an update to CVE-2014-7169.

Bash interprets the commands that users enter or are run from scripts, and then makes calls to the operating system, such as for running programs, listing the contents of a directory, or in deleting files. The discovered flaw allows intruders to remotely run arbitrary code on systems such as Linux servers including for web servers, routers, and many embedded systems. It was discovered by Stephane Chazelas of Akamai, who found that code at the end of a function of an exported variable is run whenever an environment variable is used within the Bash environment. Many Linux programs use environmental variables to pass parameters between programs, and the flaw thus allows for code to be inserted into a program whenever these environmental variables are called.


While Heartbleed was a serious vulnerability, where the memory of a server could be viewed. In the case of Shellshock it only focuses on CGI script. These are old-fashioned scripts that allow commands to be processed using a scripted language. While popular in the past, it has been largely replaced by PHP and other high-level scripting programs. In most cases CGI scripts reside in the /cgi-bin folder. For GNU Bash through 4.3, trailing strings after a function are processed in the definitions of environment variables. This allows intruders to execute arbitrary cod. For example, we have a function named mybugtest:

billbuchanan@Bills-MacBook-Pro:/tmp$ export mybugtest='() { :;}; echo I AM BUGGY'

billbuchanan@Bills-MacBook-Pro:/tmp$ bash -c "echo Hello" I AM BUGGY Hello

It is in no way as serious as Heartbleed, and in a well-secured server, it is unlikely that it the intruder can do any real damage to the system. This would be done by injecting a payload of code into the environment variables of a running process. When the process is started, the code is injected into the running program, in the same way as a user typing in some user input.

Buffer overflows and underruns

The flaw within Bash, shows how sloppy software developers have been in the past, and it is a flaw which has existed for over 25 years without being discovered. Many of the problems being under covered have been caused by poor software coding in the C++ programming language, which often allows programs to act incorrectly when the input data is not formatted as expected. Once common method of exploiting a C++ program is a buffer overflow, where a certain amount of memory is allocated to variables, and where the user enters data which is more than the allocated memory, and which causes other parts of the memory to be overwritten, and cause the program to act incorrectly.

In the case of Heartbleed it was a buffer underrun which caused the problem, where an area of memory was read and which did not actually contain the required amount of data to fill it. If you are interested in Heartbleed, and its cause (OpenSSL):


In no way is this another Heartbleed, which truly was a major problem, where any intruder could run a simple exploit on any server, and the memory was released. There is the possibly of an injection of remote code, but the risks are in no way as bad as Heartbleed.

At one time, many Linux systems used many CGI scripts, but often these were difficult to read and update, so they have been migrated away with newer languages, such as for C#, Java, C++, ASP and PHP. Administrators should examine their /cgi-bin and make sure there are no vulnerable scripts in there, and, at the very least, patch their systems.

The key difference here between Heartbleed and Shellshock, is that ANYONE in the World could exploit Heartbleed, just by sending malicious network packets to remote servers, where virtually every Linux-based Web site ran the OpenSSL program which made them vulnerability. With Shellshock, there needs to be high-level rights given to a remote user, and also access to scripts running in the cgi-bin for it to be vulnerability. If the system is well protected, everything should be okay, for Heartbleed, there was no protection, and the Internet shook at its core for a few weeks.

[Read More]

Associated people

William Buchanan
Director of CDCS
+44 131 455 2759
Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.