Re: How worse is the shellshock bash bug than Heartbleed?

On Tue, Sep 30, 2014 at 03:59:33PM +0200, Lodewijk andré de la porte wrote:

On Sep 30, 2014 3:40 PM, "Georgi Guninski" wrote:

...

If I had a budget for buying sploits, I would pay much more for shockshell than for HB, might be wrong.

This is a really good metric. It instantly combines utility with potential etc.

HB obtains you the root password, too. Maybe you have to wait for the admin to log in, but still. It also doesn't leave a trace, which is neat.

Is there a reference that HB _alone_ gets you the root password? Maybe I am dumb, but don't see way to get the root password in sound setup even if I can ptrace() httpd.

HB gets you exploits for some very serious competitors. Shellshock only for silly competition and, unless they're really silly, requires another exploit for root.

Probably shellshock will give you root via DHCP and for another root exploit you might try to shock suid stuff :) On the web the myriads of buggy cgi's probably can compete with shellshock, though it is more universal and allegedly works for significant amount of daemons.

So.. it depends! On too much. For me personally shellshock is an easier exploit but heartbleed can be way more fun. Hmm... have to go with heartbleed in the end. Real users often use the same password, so that'd let me take open wifi users by surprise. If you'd want you can take servers, even though it's a tease harder.