[Commotion-dev] Commotion and Shell Shock

Ben West ben at gowasabi.net
Thu Sep 25 14:47:21 EDT 2014 

The one-line test I've see on the bug announcements doesn't appear to
affect OpenWRT AA v41303:

root at myawesomenode:~# grep REVISION /etc/openwrt_release

DISTRIB_REVISION="r41303"


root at myawesomenode:~# opkg list_installed | grep busybox

busybox - 1.19.4-6


root at myawesomenode:~# env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"

stuff



On Thu, Sep 25, 2014 at 1:36 PM, <
Commotion-dev.NeoPhyte_Rep at ordinaryamerican.net> wrote:

> Uh, I know ash was developed by Kenneth Almquist, not by Stephen Bourne
> (bsh) nor Brian Fox (bash), but have you validated that ash is not
> vulnerable to the same exploit just announced for bash? Until tested,
> asserting that program a is not program b is not sufficient to claim that
> program a is not equally vulnerable.
>
>
> On Thu, Sep 25, 2014 at 10:24 AM, danstaples at opentechinstitute.org wrote:
>
>> It does run luci on the backend, but several of our luci scripts
>> actually make calls to a system shell. But still, it's not bash :)
>>
>> Dan
>>
>> On 09/25/2014 12:48 PM, Ben West wrote:
>> > This requires access to the shell interpreter (in this case bash). So,
>> > an exploiter would already need local execution privileges on the target
>> > machine, which looks like is being accomplished through apache mod_cgi
>> > on known exploits.
>> >
>> > OpenWRT-based firmwares use uhttpd and luci for CGI apps, so the
>> > ash/busybox binary presumably (?) wouldn't be involved.
>> >
>> > Definitely run security updates on any Ubuntu/Debian/Redhat/OS X boxen,
>> > though.
>> >
>> > http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
>> >
>> > Ubuntu:
>> > http://www.ubuntu.com/usn/usn-2362-1/
>> >
>> > Debian:
>> > https://lists.debian.org/debian-security-announce/2014/msg00220.html
>> > https://lists.debian.org/debian-security-announce/2014/msg00221.html
>> >
>> > Redhat:
>> > https://access.redhat.com/announcements/1210053
>> > https://access.redhat.com/articles/1200223
>> >
>> > OS X (must recompile bash):
>> >
>> http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7
>> >
>> >
>> > On Thu, Sep 25, 2014 at 9:53 AM, Dan Staples
>> > <danstaples at opentechinstitute.org
>> > <mailto:danstaples at opentechinstitute.org>> wrote:
>> >
>> >     The news about the Shell Shock/Bash bug[1] has gotten pretty big
>> now.
>> >     There's also a lot of rhetoric about this being a bigger deal than
>> the
>> >     Heartbleed vulnerability. I am wondering if it's worth putting up a
>> >     quick blog post on the Commotion website that the router firmware is
>> >     *not* vulnerable (since OpenWRT comes with the ash shell by default
>> >     rather than bash).
>> >
>> >     Thoughts?
>> >
>> >     Dan
>> >
>> >     [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>> >
>> >     --
>> >     Dan Staples
>> >
>> >     Open Technology Institute
>> >     https://commotionwireless.net
>> >     OpenPGP key: http://disman.tl/pgp.asc
>> >     Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
>> >     _______________________________________________
>> >     Commotion-dev mailing list
>> >     Commotion-dev at lists.chambana.net
>> >     <mailto:Commotion-dev at lists.chambana.net>
>> >     https://lists.chambana.net/mailman/listinfo/commotion-dev
>> >
>> >
>> >
>> >
>> > --
>> > Ben West
>> > http://gowasabi.net
>> > ben at gowasabi.net <mailto:ben at gowasabi.net>
>> > 314-246-9434
>>
>> --
>> Dan Staples
>>
>> Open Technology Institute
>> https://commotionwireless.net
>> OpenPGP key: http://disman.tl/pgp.asc
>> Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
>> _______________________________________________
>> Commotion-dev mailing list
>> Commotion-dev at lists.chambana.net
>> https://lists.chambana.net/mailman/listinfo/commotion-dev
>>
>
>
> _______________________________________________
> Commotion-dev mailing list
> Commotion-dev at lists.chambana.net
> https://lists.chambana.net/mailman/listinfo/commotion-dev
>
>


-- 
Ben West
http://gowasabi.net
ben at gowasabi.net
314-246-9434
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-dev/attachments/20140925/cb97e078/attachment.html>

More information about the Commotion-dev mailing list