"Shellshock"

I like this trend: major internet security vulnerability, new guitar parody. Most recently we’ve had to deal with Shellshock, an issue where a program called bash would execute code provided in environment variables, which non-CS people can think of as a sort of transient set of preferences that a program has access to. In a particular bad combination of features, some server software might happen to (deliberately) store information in the environment (like, say, what browser you’re running) and then run bash to accomplish some particular task. If you say your browser is “Safari”, everything’s okay; if you say it’s “() { :;}; echo vulnerable” then we have a problem.

There is a song here too.

If you’re on a slow internet connection, you might want to download the audio instead.

The good news about Shellshock is it’s all server-side, so if you’re not running a server there’s not much to worry about (although you should always install security updates from your OS vendor). The bad news is there’s nothing an average person can do to make things better, and these days even random devices (routers, thermostats, phones, cars) could easily be running some small variant of Linux with some networking software and a vulnerable version of bash installed. Check if those things have security updates, too.

This was a parody of Tom Jones’ “Sex Bomb” (with Mousse T.); unfortunately I can’t find an official online version of the song, but you can find an unofficial one if you look. I can, however, share my first exposure to the song: this a cappella version (live) by the UC Men’s Octet.

As usual, the content of the lyrics should be considered hyperbole and not formal technical advice.

Previously in the Security Vulnerability series: “goto fail” and “Heartbleeder” .


Send a request to your little site
Hope that it’s running with CGI
If your default system shell is bash
Then I’m ready for the attack
Yeah I’m ready for the attack

Now read the parameters that I sent
And stick them in the environment
Pass it down to your system call
Baby, you’ve lost it all

Shellshock (shellshock)
It’s called shellshock
Run my code remotely with a certain secret knock
Shellshock (shellshock)
Something’s gone wrong
Baby, security’s gone

Now, don’t get me wrong, it’s a feature gone bad
Remote code execution should make you sad
If your environment data starts with parens
bash will read it until the end

A real function stops with a curly brace
But add more code and to bash’s disgrace
It will go ahead and evaluate
Baby, that’s check and mate

Shellshock (shellshock)
It’s called shellshock
Infiltrate a server with a certain secret knock
Shellshock (shellshock)
That’s what’s gone wrong
Baby, security’s gone

I can dump the contents of your password file
I can knock your host offline at a whim
I can set up a server process of my own
And I control devices that have internet within

Shellshock
It’s called shellshock
Patches try to figure out the right way they can block
Shellshock (shellshock)
Twenty years wrong
Baby, security’s gone (it’s gone)
Baby, security’s gone (so long)
Baby, security’s gone.