<div dir="ltr">Uh, I know ash was developed by Kenneth Almquist, not by Stephen Bourne (bsh) nor Brian Fox (bash), but have you validated that ash is not vulnerable to the same exploit just announced for bash? Until tested, asserting that program a is not program b is not sufficient to claim that program a is not equally vulnerable.<br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 25, 2014 at 10:24 AM, <span dir="ltr"><a href="mailto:danstaples@opentechinstitute.org">danstaples@opentechinstitute.org</a></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It does run luci on the backend, but several of our luci scripts<br>
actually make calls to a system shell. But still, it's not bash :)<br>
<br>
Dan<br>
<span class=""><br>
On 09/25/2014 12:48 PM, Ben West wrote:<br>
> This requires access to the shell interpreter (in this case bash). So,<br>
> an exploiter would already need local execution privileges on the target<br>
> machine, which looks like is being accomplished through apache mod_cgi<br>
> on known exploits.<br>
><br>
> OpenWRT-based firmwares use uhttpd and luci for CGI apps, so the<br>
> ash/busybox binary presumably (?) wouldn't be involved.<br>
><br>
> Definitely run security updates on any Ubuntu/Debian/Redhat/OS X boxen,<br>
> though.<br>
><br>
> <a href="http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html" target="_blank">http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html</a><br>
><br>
> Ubuntu:<br>
> <a href="http://www.ubuntu.com/usn/usn-2362-1/" target="_blank">http://www.ubuntu.com/usn/usn-2362-1/</a><br>
><br>
> Debian:<br>
> <a href="https://lists.debian.org/debian-security-announce/2014/msg00220.html" target="_blank">https://lists.debian.org/debian-security-announce/2014/msg00220.html</a><br>
> <a href="https://lists.debian.org/debian-security-announce/2014/msg00221.html" target="_blank">https://lists.debian.org/debian-security-announce/2014/msg00221.html</a><br>
><br>
> Redhat:<br>
> <a href="https://access.redhat.com/announcements/1210053" target="_blank">https://access.redhat.com/announcements/1210053</a><br>
> <a href="https://access.redhat.com/articles/1200223" target="_blank">https://access.redhat.com/articles/1200223</a><br>
><br>
> OS X (must recompile bash):<br>
> <a href="http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7" target="_blank">http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7</a><br>
><br>
><br>
> On Thu, Sep 25, 2014 at 9:53 AM, Dan Staples<br>
> <<a href="mailto:danstaples@opentechinstitute.org">danstaples@opentechinstitute.org</a><br>
</span><span class="">> <mailto:<a href="mailto:danstaples@opentechinstitute.org">danstaples@opentechinstitute.org</a>>> wrote:<br>
><br>
> The news about the Shell Shock/Bash bug[1] has gotten pretty big now.<br>
> There's also a lot of rhetoric about this being a bigger deal than the<br>
> Heartbleed vulnerability. I am wondering if it's worth putting up a<br>
> quick blog post on the Commotion website that the router firmware is<br>
> *not* vulnerable (since OpenWRT comes with the ash shell by default<br>
> rather than bash).<br>
><br>
> Thoughts?<br>
><br>
> Dan<br>
><br>
> [1] <a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271" target="_blank">https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271</a><br>
><br>
> --<br>
> Dan Staples<br>
><br>
> Open Technology Institute<br>
> <a href="https://commotionwireless.net" target="_blank">https://commotionwireless.net</a><br>
> OpenPGP key: <a href="http://disman.tl/pgp.asc" target="_blank">http://disman.tl/pgp.asc</a><br>
> Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9<br>
> _______________________________________________<br>
> Commotion-dev mailing list<br>
> <a href="mailto:Commotion-dev@lists.chambana.net">Commotion-dev@lists.chambana.net</a><br>
</span>> <mailto:<a href="mailto:Commotion-dev@lists.chambana.net">Commotion-dev@lists.chambana.net</a>><br>
<span class="">> <a href="https://lists.chambana.net/mailman/listinfo/commotion-dev" target="_blank">https://lists.chambana.net/mailman/listinfo/commotion-dev</a><br>
><br>
><br>
><br>
><br>
> --<br>
> Ben West<br>
> <a href="http://gowasabi.net" target="_blank">http://gowasabi.net</a><br>
</span>> <a href="mailto:ben@gowasabi.net">ben@gowasabi.net</a> <mailto:<a href="mailto:ben@gowasabi.net">ben@gowasabi.net</a>><br>
> <a href="tel:314-246-9434" value="+13142469434">314-246-9434</a><br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
Dan Staples<br>
<br>
Open Technology Institute<br>
<a href="https://commotionwireless.net" target="_blank">https://commotionwireless.net</a><br>
OpenPGP key: <a href="http://disman.tl/pgp.asc" target="_blank">http://disman.tl/pgp.asc</a><br>
Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9<br>
_______________________________________________<br>
Commotion-dev mailing list<br>
<a href="mailto:Commotion-dev@lists.chambana.net">Commotion-dev@lists.chambana.net</a><br>
<a href="https://lists.chambana.net/mailman/listinfo/commotion-dev" target="_blank">https://lists.chambana.net/mailman/listinfo/commotion-dev</a><br>
</div></div></blockquote></div><br></div></div>