Discovered in September 2014, Shellshock is a recent vulnerability in Unix Bash shell (Bash is a Unix shell and command language and is widely used by server deployments, computers, and such) that has spread across the globe at incredible speed. Security companies recorded millions of attacks in the days following the vulnerability disclosure. Shellshock was labeled as a very severe bug and was compared to the Heartbleed security bug that was disclosed in April 2014. If you've heard of Heartbleed, you probably know that this was a huge boom when it was discovered. Exploiting this vulnerability let anyone on the Internet encrypt the traffic, including names, passwords, and the actual content going through a connection.

The Shellshock bug is an example of an arbitrary code execution vulnerability. This term describes an attacker's ability to execute any commands on a target machine. It is the most powerful effect a bug can have because it lets an attacker take control over the target completely. You probably read about this in Chapter 2, Scanning for Your Victim, where some Nmap scripts let us detect this kind of vulnerability on a remote system.

This is how Shellshock works: if the characters "{ ::,}; are included as the function definition, basically any code that is inserted after this definition is processed. This isn't something that should happen and it lets an attacker execute any type of code because Bash will eventually execute this.

For instance, executing the code: () {:;}; /bin/eject www.vulnerablesite.com, would actually be enough to eject the CD/DVD drive. This gives you a quick idea of the severity of this bug. Since Shellshock is still a thing, it would be appropriate to scan your machine and detect whether you are vulnerable or not.

zANTI2 provides a way to quickly check if the target (local or remote) is vulnerable in just a few clicks. The scan option is visible under Attack Actions, because to find out the vulnerability an arbitrary code has to be executed on the target first. The scanning process works by sending a crafted HTTP request with a command-injecting payload. Then it simply checks the output.

zANTI2 also allows for vulnerability checks outside of the local area network and lets you see if any web servers are vulnerable to any of the following vulnerabilities (Shellshock, SSL Poodle) as well.

To perform Shellshock detection on a remote machine out of the local area network, add any host IP from the action bar. The IP address of a website can easily be found by tracerouting or pinging it using a terminal emulator.

Fortunately, in most cases you'll find the target not vulnerable against the Shellshock vulnerability exploitation, thanks to a quick response from web server administrators and maintainers. However, if the target looks to be vulnerable, it might represent a huge danger for itself.

Zimperium has also built a Shellshock scanner for device and app vulnerability checks as an individual application, which can be downloaded for free on Google Play. This scanner determines whether your device is running Bash and if you have mobile applications that include the Bash process, which could be potentially dangerous by exposing your device to the Shellshock vulnerability. In other words, the Shellshock scanners try to connect to a port of the target, or wait for a reverse connection to a specific port, or create a sample file in an accessible path. However, even a vulnerable target that is well protected by a firewall may be vulnerable, because of the accessibility issues. These scanners are thus not 100 percent accurate and can also cause false negatives, but they're better than nothing.

Shellshock isn't the only bug zANTI2 is capable of detecting. You should've probably noticed that there is one more vulnerability called SSL Poodle.