"Shellshock" bash bug

Gene Heskett gheskett at wdtv.com
Sat Sep 27 12:15:08 UTC 2014 

On Saturday 27 September 2014 02:43:19 Colin Law did opine
And Gene did reply:
> On 27 September 2014 01:31, Gene Heskett <gheskett at wdtv.com> wrote:
> > On Friday 26 September 2014 17:17:06 Colin Law did opine
> > 
> > And Gene did reply:
> >> On 26 September 2014 16:43, Kevin O'Gorman <kogorman at gmail.com> 
wrote:
> >> > There has been a code-injection vulnerability in bash for the last
> >> > 22 years, recently discovered and named "Shellshock".  It's
> >> > nasty.
> >> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
> >> 
> >> I don't fully understand the description.  I have a system that
> >> cannot be updated that has an ssh port open to the internet, with
> >> access by keys only.  Is that system vulnerable to attack?
> >> 
> >> Colin
> > 
> > Top posting, bah! Read the rest of the message below, open a terminal
> 
> Who is top posting?  I had read the rest of the post.  My question
> related to the the quoted section.
> 
> >> > Here's a quick one-liner to see if you're vulnerable:
> >> > $ env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
> >> > vulnerable
> > 
> > And enter into the terminal from the keyboard, the above line
> > starting with "env", to the end at 'test"', duplicating the
> > quotation marks etc you see above.
> > 
> > Then hit enter and you should get the vulnerable return if you are,
> > or the bash error shown below, ending in the last line 'this is a
> > test'.  That response says you are not vulnerable.
> 
> No, the message tells me that I have a vulnerable version of bash
> installed, not whether my system is vulnerable to attack as I asked.
> The point is that with a machine that is only open to the internet via
> ssh  with access by keys only, is the system vulnerable?  So far that
> answer seems to be no, provided one's router is not hacked.
> 
> Colin

I have no knowledge of what is in the average router, only what is in mine 
which has been reflashed to dd-wrt. There is not a full blown bash in 
that, underneath its Busybox.  Busybox linux doesn't have a byte of code 
in it that is not used, and that which is used is often stripped of 
features not needed in a router specialized use, so my assumption, which 
is exactly that, a SWAG if you want to use the term, is that its enough 
different that the answer almost certainly has to be no.

No one has yet reported that their router has been powned that I know of 
except me.  The first one I ever bought, a Seimans from circuit city about 
14 or 15 years ago, was attacked and bricked less than 24 hours after I 
installed it.  I took it back and brought home a BEFSR41 which worked for 
many yers and could yet, all I would have to do is move the cables, but my 
web page would disappear because its NATed port forward capabilities 
aren't there.  It is not dd-wrt.

That is not to say that that a router cannot be hacked, but likely not by 
shellshock style attacks.

That said, update-manager just popped up, and there is a 3rd bash update 
in the pipeline.  Do the update now, and reboot.  Only by rebooting can 
you be assured that every bash instance in your system is using the new 
one. I am doing it as soon as I've clicked on send.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS

More information about the ubuntu-users mailing list