In light of the Shellshock vulnerability, one of our top Security Consultants - Andy Yang, has written a blog post to explain why Shellshock is such an issue, alongside providing a proof-of-concept exploitation;
Firstly, the vulnerability itself. The actual vulnerability itself is amusing and unique, but otherwise, isn’t the magical everything-is-owned vulnerability that everyone makes it out to be. To paraphrase, if you are able to set an environment variable through the Bash shell, you can execute commands.
The interesting part is that this vulnerability may have existed for more than 20 years, in an application which is part of pretty much every Unix system since a long time ago. The vulnerable versions start from cpe:/a:gnu:bash:1.14.0 to cpe:/a:gnu:bash:4.3, which covers pretty much every Unix-based operating system available today (and by extension, a tremendous chunk of the Internet).
Our comments were also featured in The Register in their review of Shellshock titled - 'Bash bug: Shellshocked yet? You will be ... when this goes WORM'.
Read full article and our opinion here: http://www.theregister.co.uk/2014/09/25/shell_shocked_not_yet/