[Commotion-dev] Commotion and Shell Shock

Thu Sep 25 14:48:36 EDT 2014

Possibly a different story for Android, tho:

https://twitter.com/tehowe/status/514859890662440961/photo/1

On Thu, Sep 25, 2014 at 1:47 PM, Ben West <ben at gowasabi.net> wrote:

> The one-line test I've see on the bug announcements doesn't appear to
> affect OpenWRT AA v41303:
>
> root at myawesomenode:~# grep REVISION /etc/openwrt_release
>
> DISTRIB_REVISION="r41303"
>
>
> root at myawesomenode:~# opkg list_installed | grep busybox
>
> busybox - 1.19.4-6
>
>
> root at myawesomenode:~# env X="() { :;} ; echo busted" /bin/sh -c "echo
> stuff"
>
> stuff
>
>
>
> On Thu, Sep 25, 2014 at 1:36 PM, <
> Commotion-dev.NeoPhyte_Rep at ordinaryamerican.net> wrote:
>
>> Uh, I know ash was developed by Kenneth Almquist, not by Stephen Bourne
>> (bsh) nor Brian Fox (bash), but have you validated that ash is not
>> vulnerable to the same exploit just announced for bash? Until tested,
>> asserting that program a is not program b is not sufficient to claim that
>> program a is not equally vulnerable.
>>
>>
>> On Thu, Sep 25, 2014 at 10:24 AM, danstaples at opentechinstitute.org wrote:
>>
>>> It does run luci on the backend, but several of our luci scripts
>>> actually make calls to a system shell. But still, it's not bash :)
>>>
>>> Dan
>>>
>>> On 09/25/2014 12:48 PM, Ben West wrote:
>>> > This requires access to the shell interpreter (in this case bash). So,
>>> > an exploiter would already need local execution privileges on the
>>> target
>>> > machine, which looks like is being accomplished through apache mod_cgi
>>> > on known exploits.
>>> >
>>> > OpenWRT-based firmwares use uhttpd and luci for CGI apps, so the
>>> > ash/busybox binary presumably (?) wouldn't be involved.
>>> >
>>> > Definitely run security updates on any Ubuntu/Debian/Redhat/OS X boxen,
>>> > though.
>>> >
>>> > http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
>>> >
>>> > Ubuntu:
>>> > http://www.ubuntu.com/usn/usn-2362-1/
>>> >
>>> > Debian:
>>> > https://lists.debian.org/debian-security-announce/2014/msg00220.html
>>> > https://lists.debian.org/debian-security-announce/2014/msg00221.html
>>> >
>>> > Redhat:
>>> > https://access.redhat.com/announcements/1210053
>>> > https://access.redhat.com/articles/1200223
>>> >
>>> > OS X (must recompile bash):
>>> >
>>> http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7
>>> >
>>> >
>>> > On Thu, Sep 25, 2014 at 9:53 AM, Dan Staples
>>> > <danstaples at opentechinstitute.org
>>> > <mailto:danstaples at opentechinstitute.org>> wrote:
>>> >
>>> >     The news about the Shell Shock/Bash bug[1] has gotten pretty big
>>> now.
>>> >     There's also a lot of rhetoric about this being a bigger deal than
>>> the
>>> >     Heartbleed vulnerability. I am wondering if it's worth putting up a
>>> >     quick blog post on the Commotion website that the router firmware
>>> is
>>> >     *not* vulnerable (since OpenWRT comes with the ash shell by default
>>> >     rather than bash).
>>> >
>>> >     Thoughts?
>>> >
>>> >     Dan
>>> >
>>> >     [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>>> >
>>> >     --
>>> >     Dan Staples
>>> >
>>> >     Open Technology Institute
>>> >     https://commotionwireless.net
>>> >     OpenPGP key: http://disman.tl/pgp.asc
>>> >     Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
>>> >     _______________________________________________
>>> >     Commotion-dev mailing list
>>> >     Commotion-dev at lists.chambana.net
>>> >     <mailto:Commotion-dev at lists.chambana.net>
>>> >     https://lists.chambana.net/mailman/listinfo/commotion-dev
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Ben West
>>> > http://gowasabi.net
>>> > ben at gowasabi.net <mailto:ben at gowasabi.net>
>>> > 314-246-9434
>>>
>>> --
>>> Dan Staples
>>>
>>> Open Technology Institute
>>> https://commotionwireless.net
>>> OpenPGP key: http://disman.tl/pgp.asc
>>> Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
>>> _______________________________________________
>>> Commotion-dev mailing list
>>> Commotion-dev at lists.chambana.net
>>> https://lists.chambana.net/mailman/listinfo/commotion-dev
>>>
>>
>>
>> _______________________________________________
>> Commotion-dev mailing list
>> Commotion-dev at lists.chambana.net
>> https://lists.chambana.net/mailman/listinfo/commotion-dev
>>
>>
>
>
> --
> Ben West
> http://gowasabi.net
> ben at gowasabi.net
> 314-246-9434
>

-- 
Ben West
http://gowasabi.net
ben at gowasabi.net
314-246-9434
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-dev/attachments/20140925/988bd732/attachment-0001.html>