Shellshock Bash bug

humax# env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
Seemingly not a problem so far...

Edit: I forgot that was just using sh rather than bash. Installed bash and repeated:
humax# env X="() { :;} ; echo busted" /mod/bin/bash -c "echo stuff"

So, not so good if you have bash installed, which I guess most people don't.
Last edited:
under what cases / packages might you have bash? can a list be compiled easily? Also, under what situations would bash be exposed to the internet? I'm thinking https webif access?! do I need to say eek at this point?!!


Bash isn't installed as a dependency for anything as far as I know. It certainly isn't used for any CGI scripting either, which is the exploit vector for this.

Now try on your Mac...
I use zsh on my mac.. no problem there!
Would somebody mind explaining this to those of us not adept in unix? What would this exploit actually allow hackers to do, and what access would they require in order to exploit it?
For web servers which use bash as a CGI language, the exploit allows an attacker to run arbitrary commands at the shell level with the privileges of the web server.
hence my 'eek' in post #3!! Need to check my other routers and gadgets- that'll be my job tonight!
Just about every file server and router uses some form of Linux/Unix. Maybe half a billion machines are affected, but do they all have bash on them? I suppose all the Macs have bash installed by default, too, even if the user doesn't use it.

af123, is it only web servers that use bash as a CGI language that are at risk, or any machine that has bash installed and is connected to the internet?