[Commotion-dev] Commotion and Shell Shock
Dan Staples
danstaples at opentechinstitute.org
Thu Sep 25 13:24:23 EDT 2014
It does run luci on the backend, but several of our luci scripts
actually make calls to a system shell. But still, it's not bash :)
Dan
On 09/25/2014 12:48 PM, Ben West wrote:
> This requires access to the shell interpreter (in this case bash). So,
> an exploiter would already need local execution privileges on the target
> machine, which looks like is being accomplished through apache mod_cgi
> on known exploits.
>
> OpenWRT-based firmwares use uhttpd and luci for CGI apps, so the
> ash/busybox binary presumably (?) wouldn't be involved.
>
> Definitely run security updates on any Ubuntu/Debian/Redhat/OS X boxen,
> though.
>
> http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
>
> Ubuntu:
> http://www.ubuntu.com/usn/usn-2362-1/
>
> Debian:
> https://lists.debian.org/debian-security-announce/2014/msg00220.html
> https://lists.debian.org/debian-security-announce/2014/msg00221.html
>
> Redhat:
> https://access.redhat.com/announcements/1210053
> https://access.redhat.com/articles/1200223
>
> OS X (must recompile bash):
> http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7
>
>
> On Thu, Sep 25, 2014 at 9:53 AM, Dan Staples
> <danstaples at opentechinstitute.org
> <mailto:danstaples at opentechinstitute.org>> wrote:
>
> The news about the Shell Shock/Bash bug[1] has gotten pretty big now.
> There's also a lot of rhetoric about this being a bigger deal than the
> Heartbleed vulnerability. I am wondering if it's worth putting up a
> quick blog post on the Commotion website that the router firmware is
> *not* vulnerable (since OpenWRT comes with the ash shell by default
> rather than bash).
>
> Thoughts?
>
> Dan
>
> [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>
> --
> Dan Staples
>
> Open Technology Institute
> https://commotionwireless.net
> OpenPGP key: http://disman.tl/pgp.asc
> Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
> _______________________________________________
> Commotion-dev mailing list
> Commotion-dev at lists.chambana.net
> <mailto:Commotion-dev at lists.chambana.net>
> https://lists.chambana.net/mailman/listinfo/commotion-dev
>
>
>
>
> --
> Ben West
> http://gowasabi.net
> ben at gowasabi.net <mailto:ben at gowasabi.net>
> 314-246-9434
--
Dan Staples
Open Technology Institute
https://commotionwireless.net
OpenPGP key: http://disman.tl/pgp.asc
Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
More information about the Commotion-dev
mailing list