[Commotion-dev] Commotion and Shell Shock
Commotion-dev.NeoPhyte_Rep at OrdinaryAmerican.net
Commotion-dev.NeoPhyte_Rep at OrdinaryAmerican.net
Thu Sep 25 14:36:32 EDT 2014
Uh, I know ash was developed by Kenneth Almquist, not by Stephen Bourne
(bsh) nor Brian Fox (bash), but have you validated that ash is not
vulnerable to the same exploit just announced for bash? Until tested,
asserting that program a is not program b is not sufficient to claim that
program a is not equally vulnerable.
On Thu, Sep 25, 2014 at 10:24 AM, danstaples at opentechinstitute.org wrote:
> It does run luci on the backend, but several of our luci scripts
> actually make calls to a system shell. But still, it's not bash :)
>
> Dan
>
> On 09/25/2014 12:48 PM, Ben West wrote:
> > This requires access to the shell interpreter (in this case bash). So,
> > an exploiter would already need local execution privileges on the target
> > machine, which looks like is being accomplished through apache mod_cgi
> > on known exploits.
> >
> > OpenWRT-based firmwares use uhttpd and luci for CGI apps, so the
> > ash/busybox binary presumably (?) wouldn't be involved.
> >
> > Definitely run security updates on any Ubuntu/Debian/Redhat/OS X boxen,
> > though.
> >
> > http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
> >
> > Ubuntu:
> > http://www.ubuntu.com/usn/usn-2362-1/
> >
> > Debian:
> > https://lists.debian.org/debian-security-announce/2014/msg00220.html
> > https://lists.debian.org/debian-security-announce/2014/msg00221.html
> >
> > Redhat:
> > https://access.redhat.com/announcements/1210053
> > https://access.redhat.com/articles/1200223
> >
> > OS X (must recompile bash):
> >
> http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7
> >
> >
> > On Thu, Sep 25, 2014 at 9:53 AM, Dan Staples
> > <danstaples at opentechinstitute.org
> > <mailto:danstaples at opentechinstitute.org>> wrote:
> >
> > The news about the Shell Shock/Bash bug[1] has gotten pretty big now.
> > There's also a lot of rhetoric about this being a bigger deal than
> the
> > Heartbleed vulnerability. I am wondering if it's worth putting up a
> > quick blog post on the Commotion website that the router firmware is
> > *not* vulnerable (since OpenWRT comes with the ash shell by default
> > rather than bash).
> >
> > Thoughts?
> >
> > Dan
> >
> > [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
> >
> > --
> > Dan Staples
> >
> > Open Technology Institute
> > https://commotionwireless.net
> > OpenPGP key: http://disman.tl/pgp.asc
> > Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
> > _______________________________________________
> > Commotion-dev mailing list
> > Commotion-dev at lists.chambana.net
> > <mailto:Commotion-dev at lists.chambana.net>
> > https://lists.chambana.net/mailman/listinfo/commotion-dev
> >
> >
> >
> >
> > --
> > Ben West
> > http://gowasabi.net
> > ben at gowasabi.net <mailto:ben at gowasabi.net>
> > 314-246-9434
>
> --
> Dan Staples
>
> Open Technology Institute
> https://commotionwireless.net
> OpenPGP key: http://disman.tl/pgp.asc
> Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
> _______________________________________________
> Commotion-dev mailing list
> Commotion-dev at lists.chambana.net
> https://lists.chambana.net/mailman/listinfo/commotion-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-dev/attachments/20140925/93baacf5/attachment.html>
More information about the Commotion-dev
mailing list