Zero-Day Exploitscritical

Shellshock: A 25-Year-Old Bash Bug Enables Remote Code Execution on Millions of Servers

A vulnerability in Bash — the Unix shell present on virtually every Linux and macOS system for 25 years — allowed remote code execution via HTTP headers, CGI scripts, and DHCP responses. Within 24 hours of disclosure, exploitation was widespread.

GNU Bash / Global Linux Servers·2014·2 min read

Background

Bash (Bourne Again Shell) had contained a vulnerability (CVE-2014-6271) since version 1.03 in 1989 — 25 years before it was discovered. The bug involved how Bash processed environment variables: it would execute code appended after the end of a function definition in a variable value.

The Attack

Shellshock was triggered when Bash parsed an environment variable containing a function definition followed by additional commands: () { :;}; <malicious command>. Web servers using CGI scripts that passed HTTP headers to Bash (extremely common in Apache configurations) were immediately vulnerable: attackers simply put their payload in an HTTP User-Agent or Referer header. Automated scanning and exploitation began within hours of disclosure. Botnets were recruiting vulnerable servers within 24 hours. The vulnerability also affected DHCP clients, SSH ForceCommand configurations, and any other system where untrusted data reached Bash as an environment variable.

Response

Red Hat, Debian, Ubuntu, Apple, and other vendors released patches rapidly, but the initial patches were incomplete and required follow-up patches over several days. CISA issued an emergency advisory. Major web hosting providers deployed WAF rules to block Shellshock payloads while patches were deployed. Many embedded devices (routers, smart TVs, IoT devices) running older Bash versions remained permanently vulnerable.

Outcome

Shellshock was classified as more severe than Heartbleed. Exploitation began within hours and never fully stopped — vulnerable embedded devices continued to be exploited for years. The bug's 25-year age raised questions about how many other ancient vulnerabilities remain in foundational software.

Key Takeaways

  1. Software audits of foundational Unix utilities should be prioritised — bugs present for decades are still exploitable
  2. HTTP headers and other client-controlled inputs must never be passed directly to shell interpreters
  3. CGI-based web applications are particularly vulnerable to shell injection — prefer modern application frameworks
  4. Embedded devices with no update mechanism create permanent vulnerability pools that attackers exploit indefinitely
ShellshockBashCGIRCEHTTP header injection

More in Zero-Day Exploits

2017critical

EternalBlue: NSA's Stolen Weapon Powers WannaCry, NotPetya, and Years of Attacks

2 min readZero-Day Exploits
2021critical

Log4Shell: A Single Java Library Puts 3 Billion Devices at Risk

2 min readZero-Day Exploits
2023critical

MOVEit Zero-Day: One SQL Injection Flaw, 2,700 Organisations Breached

2 min readZero-Day Exploits