The shellshock bug, and the underlying feature allowing Function Import from the Environment (I'm calling it FIE), have been in bash since at least 1993, before the rise of CGI.
At that time, the rest of the Unix/Linux/GNU environment was very different.
So at that time in history:
- Were setuid scripts allowed at that time?
- Were setuid scripts part of default configuration at that time?
- Were the
system(3)
andpopen(3)
calls used routinely by setuid binaries at that time?- common uses are for expanding shell globs (
less
appears to use it for this, but is not setuid) and executing external commands
- common uses are for expanding shell globs (
- was it common at that time to inherit the environment when
su
-ing? - Could the environment be propagated by things like
rlogin
etc? (I think telnet propagatedDISPLAY
by default). - Are there any features which would make the FIE bug more problematic back then?
So how bad was this privilege escalation and code execution bug, which has been hiding in plain sight for over twenty years, when it was originally introduced?