[Commotion-dev] Commotion and Shell Shock

Dan Staples danstaples at opentechinstitute.org
Thu Sep 25 13:24:23 EDT 2014 

It does run luci on the backend, but several of our luci scripts
actually make calls to a system shell. But still, it's not bash :)

Dan

On 09/25/2014 12:48 PM, Ben West wrote:
> This requires access to the shell interpreter (in this case bash). So,
> an exploiter would already need local execution privileges on the target
> machine, which looks like is being accomplished through apache mod_cgi
> on known exploits.
> 
> OpenWRT-based firmwares use uhttpd and luci for CGI apps, so the
> ash/busybox binary presumably (?) wouldn't be involved.
> 
> Definitely run security updates on any Ubuntu/Debian/Redhat/OS X boxen,
> though.
> 
> http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
> 
> Ubuntu:
> http://www.ubuntu.com/usn/usn-2362-1/
> 
> Debian:
> https://lists.debian.org/debian-security-announce/2014/msg00220.html
> https://lists.debian.org/debian-security-announce/2014/msg00221.html
> 
> Redhat:
> https://access.redhat.com/announcements/1210053
> https://access.redhat.com/articles/1200223
> 
> OS X (must recompile bash):
> http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7
> 
> 
> On Thu, Sep 25, 2014 at 9:53 AM, Dan Staples
> <danstaples at opentechinstitute.org
> <mailto:danstaples at opentechinstitute.org>> wrote:
> 
>     The news about the Shell Shock/Bash bug[1] has gotten pretty big now.
>     There's also a lot of rhetoric about this being a bigger deal than the
>     Heartbleed vulnerability. I am wondering if it's worth putting up a
>     quick blog post on the Commotion website that the router firmware is
>     *not* vulnerable (since OpenWRT comes with the ash shell by default
>     rather than bash).
> 
>     Thoughts?
> 
>     Dan
> 
>     [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
> 
>     --
>     Dan Staples
> 
>     Open Technology Institute
>     https://commotionwireless.net
>     OpenPGP key: http://disman.tl/pgp.asc
>     Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
>     _______________________________________________
>     Commotion-dev mailing list
>     Commotion-dev at lists.chambana.net
>     <mailto:Commotion-dev at lists.chambana.net>
>     https://lists.chambana.net/mailman/listinfo/commotion-dev
> 
> 
> 
> 
> -- 
> Ben West
> http://gowasabi.net
> ben at gowasabi.net <mailto:ben at gowasabi.net>
> 314-246-9434

-- 
Dan Staples

Open Technology Institute
https://commotionwireless.net
OpenPGP key: http://disman.tl/pgp.asc
Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9

More information about the Commotion-dev mailing list