How worse is the shellshock bash bug than Heartbleed?

rysiek rysiek at
Tue Sep 30 05:24:44 PDT 2014


Dnia wtorek, 30 wrzeĊ›nia 2014 14:25:28 Georgi Guninski pisze:
> > Agree, heartbleed was a bigger problem, though I think I know why so
> > many people panic because of this.
> > 
> > My theory is, with heartbleed most folks thought they were unaffected,
> > cause not many noob people run a webserver. But with shellshock they can
> > test this on their own machine, with just 1 line of code and see the
> > "vulnerable" message, so suddenly this is a big deal for them.
> > 
> > So, don't panic & stay cool, unless you have some badly configured
> > servers or have a habit of running everything on your workstation
> > without checking. But then you got bigger problems than this ;-).
> Shellshock affects clients, including admins :)
> Over DHCP you get instant root.
> Over qmail local delivery, without any interaction
> you get the lusers $HOME and /var/mail and having
> in mind the state of current kernels the road
> to euid 0 is not very long.
> It might affect some suid progies too.

Yeah, but that means the danger level is somewhere on the "client-side root" 
side, rather than "server-side root".

> AFAICT HB didn't allow code execution, just reading memory.

"Just" potentially reading plaintext passwords straight off of RAM, SSL/TLS 
certificates, GPG keys, etc., potentially (and demonstrably!) giving one a way 
not only to take over the given server, but to decrypt past saved 
communications with a given host, if the host used SSL without perfect forward 

Shellshock is more of a "personal client hygiene" kind of bug (a bad one, but 
still); HB was "we're *all* affected and fucked, change passwords NOW and hope 
for the best".

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the cypherpunks mailing list