How worse is the shellshock bash bug than Heartbleed?

Georgi Guninski guninski at
Tue Sep 30 04:25:28 PDT 2014

On Tue, Sep 30, 2014 at 12:30:57PM +0200, "Łukasz \"Cyber Killer\" Korpalski" wrote:
> W dniu 30.09.2014 o 11:55, Lodewijk andré de la porte pisze:
> > Heartbleed was a memory leak that eventually, after carefully calculated
> > exploiting, can lead to a remote root.
> > 
> > Shellshock depends on a lot of environmental details, but is possible
> > little more than a hard to reach shell with elevated permissions.
> > 
> > I guess heartbleed was actually worse. Who runs webscripts and stuff in
> > root? That's really foolhardy. But using OpenSSL ... We usually thought
> > it good practice!
> > 
> Agree, heartbleed was a bigger problem, though I think I know why so
> many people panic because of this.
> My theory is, with heartbleed most folks thought they were unaffected,
> cause not many noob people run a webserver. But with shellshock they can
> test this on their own machine, with just 1 line of code and see the
> "vulnerable" message, so suddenly this is a big deal for them.
> So, don't panic & stay cool, unless you have some badly configured
> servers or have a habit of running everything on your workstation
> without checking. But then you got bigger problems than this ;-).

Shellshock affects clients, including admins :)

Over DHCP you get instant root.

Over qmail local delivery, without any interaction
you get the lusers $HOME and /var/mail and having
in mind the state of current kernels the road
to euid 0 is not very long.

It might affect some suid progies too.

AFAICT HB didn't allow code execution, just reading memory.

More information about the cypherpunks mailing list