[Commotion-dev] Commotion and Shell Shock

Dan Staples danstaples at opentechinstitute.org
Thu Sep 25 14:45:45 EDT 2014 

I did test it before I wrote that first email, and it is not vulnerable
to that problem.

On 09/25/2014 02:36 PM, Commotion-dev.NeoPhyte_Rep at OrdinaryAmerican.net
wrote:
> Uh, I know ash was developed by Kenneth Almquist, not by Stephen Bourne
> (bsh) nor Brian Fox (bash), but have you validated that ash is not
> vulnerable to the same exploit just announced for bash? Until tested,
> asserting that program a is not program b is not sufficient to claim
> that program a is not equally vulnerable.
> 
> On Thu, Sep 25, 2014 at 10:24 AM, danstaples at opentechinstitute.org
> <mailto:danstaples at opentechinstitute.org> wrote:
> 
>     It does run luci on the backend, but several of our luci scripts
>     actually make calls to a system shell. But still, it's not bash :)
> 
>     Dan
> 
>     On 09/25/2014 12:48 PM, Ben West wrote:
>     > This requires access to the shell interpreter (in this case bash). So,
>     > an exploiter would already need local execution privileges on the target
>     > machine, which looks like is being accomplished through apache mod_cgi
>     > on known exploits.
>     >
>     > OpenWRT-based firmwares use uhttpd and luci for CGI apps, so the
>     > ash/busybox binary presumably (?) wouldn't be involved.
>     >
>     > Definitely run security updates on any Ubuntu/Debian/Redhat/OS X boxen,
>     > though.
>     >
>     > http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
>     >
>     > Ubuntu:
>     > http://www.ubuntu.com/usn/usn-2362-1/
>     >
>     > Debian:
>     > https://lists.debian.org/debian-security-announce/2014/msg00220.html
>     > https://lists.debian.org/debian-security-announce/2014/msg00221.html
>     >
>     > Redhat:
>     > https://access.redhat.com/announcements/1210053
>     > https://access.redhat.com/articles/1200223
>     >
>     > OS X (must recompile bash):
>     > http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7
>     >
>     >
>     > On Thu, Sep 25, 2014 at 9:53 AM, Dan Staples
>     > <danstaples at opentechinstitute.org
>     <mailto:danstaples at opentechinstitute.org>
>     > <mailto:danstaples at opentechinstitute.org
>     <mailto:danstaples at opentechinstitute.org>>> wrote:
>     >
>     >     The news about the Shell Shock/Bash bug[1] has gotten pretty big now.
>     >     There's also a lot of rhetoric about this being a bigger deal than the
>     >     Heartbleed vulnerability. I am wondering if it's worth putting up a
>     >     quick blog post on the Commotion website that the router firmware is
>     >     *not* vulnerable (since OpenWRT comes with the ash shell by default
>     >     rather than bash).
>     >
>     >     Thoughts?
>     >
>     >     Dan
>     >
>     >     [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>     >
>     >     --
>     >     Dan Staples
>     >
>     >     Open Technology Institute
>     >     https://commotionwireless.net
>     >     OpenPGP key: http://disman.tl/pgp.asc
>     >     Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
>     >     _______________________________________________
>     >     Commotion-dev mailing list
>     >     Commotion-dev at lists.chambana.net
>     <mailto:Commotion-dev at lists.chambana.net>
>     >     <mailto:Commotion-dev at lists.chambana.net
>     <mailto:Commotion-dev at lists.chambana.net>>
>     >     https://lists.chambana.net/mailman/listinfo/commotion-dev
>     >
>     >
>     >
>     >
>     > --
>     > Ben West
>     > http://gowasabi.net
>     > ben at gowasabi.net <mailto:ben at gowasabi.net>
>     <mailto:ben at gowasabi.net <mailto:ben at gowasabi.net>>
>     > 314-246-9434 <tel:314-246-9434>
> 
>     --
>     Dan Staples
> 
>     Open Technology Institute
>     https://commotionwireless.net
>     OpenPGP key: http://disman.tl/pgp.asc
>     Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
>     _______________________________________________
>     Commotion-dev mailing list
>     Commotion-dev at lists.chambana.net
>     <mailto:Commotion-dev at lists.chambana.net>
>     https://lists.chambana.net/mailman/listinfo/commotion-dev
> 
> 
> 
> 
> _______________________________________________
> Commotion-dev mailing list
> Commotion-dev at lists.chambana.net
> https://lists.chambana.net/mailman/listinfo/commotion-dev
> 

-- 
Dan Staples

Open Technology Institute
https://commotionwireless.net
OpenPGP key: http://disman.tl/pgp.asc
Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9

More information about the Commotion-dev mailing list