How worse is the shellshock bash bug than Heartbleed?

Lodewijk andré de la porte l at
Tue Sep 30 06:59:33 PDT 2014

On Sep 30, 2014 3:40 PM, "Georgi Guninski" <guninski at> wrote:
> If I had a budget for buying sploits, I would
> pay much more for shockshell than for HB, might be wrong.

This is a really good metric. It instantly combines utility with potential

HB obtains you the root password, too. Maybe you have to wait for the admin
to log in, but still. It also doesn't leave a trace, which is neat.

HB gets you exploits for some very serious competitors. Shellshock only for
silly competition and, unless they're really silly, requires another
exploit for root.

So.. it depends! On too much. For me personally shellshock is an easier
exploit but heartbleed can be way more fun. Hmm... have to go with
heartbleed in the end. Real users often use the same password, so that'd
let me take open wifi users by surprise. If you'd want you can take
servers, even though it's a tease harder.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1078 bytes
Desc: not available
URL: <>

More information about the cypherpunks mailing list