This repository contains useful documents which I have written to help educate the cybersecurity community on the "ShellShock" bash vulnerability. These documents are designed to help facilitate learning, including on how to identify possibly vulnerable services and how to remediate such vulnerabilities.
In short, ShellShock is a very serious zero day vulnerability which has been found to reside in all versions of bash from 4.3 and earlier. This vulnerability causes bash to process extraneous data after a function declaration which can include code which will then be executed. Categorically, ShellShock is a code injection vulnerability.
The best place to start is with the file ShellShock Overview.pdf. This is a brief
presentation which introduces ShellShock, gives some details on the nature of this bash
vulnerability, and briefly explores how ShellShock can be used against Apache web servers
which have CGI scripting enabled.
If you have any issues or concerns regarding the contents of this repository, please file an issue via the issue tracker or contact the creator. If you would like to contribute to this repository, please fork this repository and submit a pull request. Upon having your pull request accepted, you will be added to the contributing authors section.
Carter Yagemann (Creator, Admin) - cmyagema@syr.edu
Amit Ahlawat (Contributor) - aahlawat@syr.edu
These documents are released as open source documents. Permission is granted to copy, distribute and/or modify these documents under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation. A copy of the license can be found at http://www.gnu.org/licenses/fdl.html.