[Commotion-dev] Commotion and Shell Shock
Dan Staples
danstaples at opentechinstitute.org
Thu Sep 25 14:45:45 EDT 2014
I did test it before I wrote that first email, and it is not vulnerable
to that problem.
On 09/25/2014 02:36 PM, Commotion-dev.NeoPhyte_Rep at OrdinaryAmerican.net
wrote:
> Uh, I know ash was developed by Kenneth Almquist, not by Stephen Bourne
> (bsh) nor Brian Fox (bash), but have you validated that ash is not
> vulnerable to the same exploit just announced for bash? Until tested,
> asserting that program a is not program b is not sufficient to claim
> that program a is not equally vulnerable.
>
> On Thu, Sep 25, 2014 at 10:24 AM, danstaples at opentechinstitute.org
> <mailto:danstaples at opentechinstitute.org> wrote:
>
> It does run luci on the backend, but several of our luci scripts
> actually make calls to a system shell. But still, it's not bash :)
>
> Dan
>
> On 09/25/2014 12:48 PM, Ben West wrote:
> > This requires access to the shell interpreter (in this case bash). So,
> > an exploiter would already need local execution privileges on the target
> > machine, which looks like is being accomplished through apache mod_cgi
> > on known exploits.
> >
> > OpenWRT-based firmwares use uhttpd and luci for CGI apps, so the
> > ash/busybox binary presumably (?) wouldn't be involved.
> >
> > Definitely run security updates on any Ubuntu/Debian/Redhat/OS X boxen,
> > though.
> >
> > http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
> >
> > Ubuntu:
> > http://www.ubuntu.com/usn/usn-2362-1/
> >
> > Debian:
> > https://lists.debian.org/debian-security-announce/2014/msg00220.html
> > https://lists.debian.org/debian-security-announce/2014/msg00221.html
> >
> > Redhat:
> > https://access.redhat.com/announcements/1210053
> > https://access.redhat.com/articles/1200223
> >
> > OS X (must recompile bash):
> > http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7
> >
> >
> > On Thu, Sep 25, 2014 at 9:53 AM, Dan Staples
> > <danstaples at opentechinstitute.org
> <mailto:danstaples at opentechinstitute.org>
> > <mailto:danstaples at opentechinstitute.org
> <mailto:danstaples at opentechinstitute.org>>> wrote:
> >
> > The news about the Shell Shock/Bash bug[1] has gotten pretty big now.
> > There's also a lot of rhetoric about this being a bigger deal than the
> > Heartbleed vulnerability. I am wondering if it's worth putting up a
> > quick blog post on the Commotion website that the router firmware is
> > *not* vulnerable (since OpenWRT comes with the ash shell by default
> > rather than bash).
> >
> > Thoughts?
> >
> > Dan
> >
> > [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
> >
> > --
> > Dan Staples
> >
> > Open Technology Institute
> > https://commotionwireless.net
> > OpenPGP key: http://disman.tl/pgp.asc
> > Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
> > _______________________________________________
> > Commotion-dev mailing list
> > Commotion-dev at lists.chambana.net
> <mailto:Commotion-dev at lists.chambana.net>
> > <mailto:Commotion-dev at lists.chambana.net
> <mailto:Commotion-dev at lists.chambana.net>>
> > https://lists.chambana.net/mailman/listinfo/commotion-dev
> >
> >
> >
> >
> > --
> > Ben West
> > http://gowasabi.net
> > ben at gowasabi.net <mailto:ben at gowasabi.net>
> <mailto:ben at gowasabi.net <mailto:ben at gowasabi.net>>
> > 314-246-9434 <tel:314-246-9434>
>
> --
> Dan Staples
>
> Open Technology Institute
> https://commotionwireless.net
> OpenPGP key: http://disman.tl/pgp.asc
> Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
> _______________________________________________
> Commotion-dev mailing list
> Commotion-dev at lists.chambana.net
> <mailto:Commotion-dev at lists.chambana.net>
> https://lists.chambana.net/mailman/listinfo/commotion-dev
>
>
>
>
> _______________________________________________
> Commotion-dev mailing list
> Commotion-dev at lists.chambana.net
> https://lists.chambana.net/mailman/listinfo/commotion-dev
>
--
Dan Staples
Open Technology Institute
https://commotionwireless.net
OpenPGP key: http://disman.tl/pgp.asc
Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
More information about the Commotion-dev
mailing list