Bear Bibeault wrote:From what I understand, this is not much of a threat for personal systems that aren't running servers that the Net can connect to in order to run bash commands (such as CGI).
But yeah, if you are running servers...
There were some interesting scenarios discussed wherein even home networks could be at risk:
- Many home router web administration pages run over CGI. If they have remote admin enabled and have bash as default shell, then routers can be compromised.
- Some PoC attacks over DHCP have been demonstrated. The idea is that if an ISP's DHCP server can be compromised by other means, then that ISP's customers can be compromised using this bash vulnerability.
Jaikiran Pai wrote:This has a detailed explanation of what the bug is all about http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
Troy (the author of the blog post) and I released a public and free mini-class on Shellshock. Here you go. http://pluralsight.com/courses/shellshock-bash-bug