Defending against shell shock

I started writing a longer post about the so-called shell shock, with analysis of what makes a web server vulnerable or secure.  Or, strictly speaking, not a webserver, but a platform an attacker might access through a web server.  But I’m not sure when I’ll find time to do justice to that, so here’s the short announcement:

I’ve updated mod_taint to offer an ultra-simple defence against the risk of shell shock attacks coming through Apache HTTPD, versions 2.2 or later.  A new simplified configuration option is provided specifically for this problem:

    LoadModule taint_module modules/
    Untaint shellshock

mod_taint source and documentation are at and respectively.

Here’s some detail from what I posted earlier to the Apache mailinglists:

Untaint works in a directory context, so can be selectively enabled for potentially-vulnerable apps such as those involving CGI, SSI, ExtFilter, or (other) scripts.

This goes through all Request headers, any PATH_INFO and QUERY_STRING, and (just to be paranoid) any other subprocess environment variables. It untaints them against a regexp that checks for “()” at the beginning of a variable, and returns an HTTP 400 error (Bad Request) if found.

Feedback welcome, indeed solicited. I believe this is a simple but sensible approach to protecting potentially-vulnerable systems, but I’m open to contrary views. The exact details, including the shellshock regexp itself, could probably use some refinement. And of course, bug reports!

Posted on September 26, 2014, in apache, linux, security and tagged , . Bookmark the permalink. 4 Comments.

  1. Bash shell itself looks for “() {” at start of every environment variable before invoking the broken code.

    Thus I think you could be more specific without reducing effectiveness, which would reduce false positives.

    Bit late to the party.

  2. That pingback only just reached me, although the blog piece (like mine) looks much older.

    The piece that links to here states incorrectly that Apache has updated its mod_taint module to account for ShellShock. While it is correct that I updated mod_taint, it is not correct to say that Apache did so. This is not an official Apache module, it is merely a module written by an Apache developer (me). It isn’t backed by the community as a whole, it doesn’t benefit from the same level of scrutiny as a core module, or resources such as the bug tracker.

    If I recollect aright I offered to contribute it to the project, but there was no real interest. Reasons are lost in the mists of time, but I suspect those needing its functionality use more comprehensive third-party solutions such as mod_security or ironbee.

  1. Pingback: Don’t let anyone shock your shells - Security Research Blog - Security - Micro Focus Community

  2. Pingback: Don’t let anyone shock your shells - Security Research Blog - Security

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: