6 comments

[ 0.45 ms ] story [ 26.1 ms ] thread
Sounds to me like an excellent way to get yourself sued or worse.
Or maybe get a truckload of "thank you" postcards..
(comment deleted)
Hmm. Is root privs escalation part of shellshock? If not, then I think this is just going to try to yum update or apt-get update as the www-data user / nobody user / apache user / you get the idea.

Anyone who's running their web server as a user with enough privileges to run package installs unattended is probably in for a worse fate than an unexpected bash update, I imagine...

No, there is no local privilege escalation. So at best this can hit the four machines in the world that run bash CGI scripts as root.

Also, their apt-get command is incorrect. apt-get update updates the local repo cache, apt-get -yy install bash will upgrade the bash package. So now they're down to two of the four machines, the ones that run RHEL.

All their exercise has done is to land their crawler IPs on some lists of IPs attempting to exploit this vulnerability. I don't think that will help them any with their business.

Not to mention that their syntax is wrong and won't trigger the vulnerability in the first place.

  env x='() {.:;.} ; echo yo'
  *line 0: syntax error near unexpected token `{.:'*
It should be:

  env x='() { :;} ; echo yo'
Better luck next time.