Excellent deep-dive technical analysis and timeline by David Wheeler:
http://www.dwheeler.com/essays/shellshock.html
Troy Hunt:
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
RedHat:
https://access.redhat.com/articles/1200223
SANS:
https://isc.sans.edu/diary/Shellshock%3A+Vulnerable+Systems+you+may+have+missed+and+how+to+move+forward/18721
The shellshock/badbash vuln early zero-day exploiting 2014-6271:
https://twitter.com/yinettesys/status/515012126268604416
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505
https://gist.github.com/anonymous/929d622f3b36b00c0be1
https://www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/1411634118/
Packet Storm vuln summaries by CVE (lists major distro impacts, etc.):
Original news about initial fix being incomplete:
https://twitter.com/taviso/statuses/514887394294652929
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
http://www.openwall.com/lists/oss-security/2014/09/24/32 [and responses]
2014-10-13: Reverse DNS lookups as an exploitation vector http://packetstormsecurity.com/files/128650/dnsbash-exec.txt
Michal Zalewski (Google):
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
2014-10-01:
http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html
2014-09-30: Good CloudFlare blog item http://blog.cloudflare.com/inside-shellshock/
2014-10-02: OpenDNS analysis of scanning activity http://labs.opendns.com/2014/10/02/opendns-and-bash/
Initial patch for incomplete patch:
http://www.openwall.com/lists/oss-security/2014/09/25/10
2014-09-29: Binary patching.
Solar Designer posts binary patch method:
http://www.openwall.com/lists/oss-security/2014/09/29/1
Python method from Antti Louko:
http://alo.fi/bash/Patch-bash.py
See product-specific section for per-vendor remediation.
Some busybox may be affected:
https://twitter.com/dakami/status/514972098368794625
2014-09-27: Exploitation vectors analysis (some inetd, exim, qmail, procmail, openvpn):
https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html
mod_perl,mod_php,mod_python OK, but mod_cgi (and therefore cPanel) vulnerable: http://blog.sucuri.net/2014/09/bash-vulnerability-shell-shock-thousands-of-cpanel-sites-are-high-risk.html
2014-09-26: F5 BIG-IP vulnerable: https://twitter.com/kennwhite/status/515533087082422272
2014-10-12: Juniper: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648&cat=SIRT_1&actp=LIST
2014-09-30: OpenVPN vulnerable in some configs. https://news.ycombinator.com/item?id=8385332
2014-10-02: QNAP NAS vulnerable. http://www.fireeye.com/blog/technical/2014/10/the-shellshock-aftershock-for-nas-administrators.html
2014-10-02: McAfee Web Gateway and McAfee Email Gateway shellshock fixes announced here: https://community.mcafee.com/docs/DOC-6532?elq=641521a732bd4c53aabc553a1a7fe4d7&elqCampaignId=971
2014-10-02: Request Tracker (RT 4.2.x) vulnerable http://blog.bestpractical.com/2014/10/security-vulnerability-in-rt-42x-cve-2014-7227.html
2014-10-03: Citrix NetScaler not directly vuln, but include bash; VPX patch for DHCP issue forthcoming. http://support.citrix.com/article/CTX200217
2014-10-07: Oracle updates its patches: http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html
2014-10-03: Really good local checker for all known variants. https://github.com/hannob/bashcheck/blob/master/bashcheck
My own simple wget script to walk an entire site for shellshock. Not as fast as masscan, but more configurable.
Rules for original vuln:
Snort: https://www.snort.org/advisories/vrt-rules-2014-09-24
Bro: https://github.com/CriticalStack/bro-scripts
2014-09-30: Detection in Bro, including Qmail MAIL FROM attack vector. https://github.com/broala/bro-shellshock
shellshock.info tester (not complete; should spider entire site):
http://check.shellshock.info/
2014-09-29: Shellshocker tester https://shellshocker.net/
2014-09-26: SIP scanner: https://github.com/zaf/sipshock
2014-09-26: Tripwire detector: https://github.com/Tripwire/bashbug-shellshock-test/blob/master/README.md
Robert Graham's masscan of just the default page by IP (so a lower
bound) is here, but actually aborted and he'll be re-running:
http://blog.erratasec.com/
Landscape of obvious targets:
https://www.google.com/search?q=filetype%3Ash+inurl%3Acgi-bin
Metasploit module for original vuln:
https://github.com/rapid7/metasploit-framework/commit/ff5398bf3f46c057666f7a3d0afaf4c0d6912575
Exploit possibilities walkthrough, including fetching results:
https://www.invisiblethreat.ca/2014/09/cve-2014-6271/
Malicious DHCP server:
http://pastebin.com/S1WVzTv9
2014-10-06: Unconfirmed report that Yahoo and WinZip.com compromised. http://mailman.nanog.org/pipermail/nanog/2014-October/070228.html
2014-10-06: Postfix/procmail exploit http://packetstormsecurity.com/files/128572/postfixsmtp-shellshock.txt
Funniest one-liner so far:
https://twitter.com/koizuka/status/515098006895349760
Akihiko Koizuka @koizuka
() { :;}; /usr/bin/eject
2014-09-29: New non-shellshock vulns: http://www.openwall.com/lists/oss-security/2014/09/25/32
Return to The Story So Far (list of notable security events)