"Shellshock" bash bug

Colin Law clanlaw at gmail.com
Sat Sep 27 12:41:05 UTC 2014 

On 27 September 2014 13:31, Robert Heller <heller at deepsoft.com> wrote:
> At Sat, 27 Sep 2014 07:36:59 +0100 "Ubuntu user technical support,  not for general discussions" <ubuntu-users at lists.ubuntu.com> wrote:
>
>>
>> On 26 September 2014 23:24, Teo En Ming
>> <singapore.mr.teo.en.ming at gmail.com> wrote:
>> > On 27/09/2014 05:57, Rashkae wrote:
>> >>
>> >> On 14-09-26 05:50 PM, Colin Law wrote:
>> >>>
>> >>>
>> >>> It is a sheeva plug computer with an Arm processor.  Jaunty was the
>> >>> last ubuntu version that supported the chip.
>> >>>
>> >>> It seems however that my initial assumption is correct, that if they
>> >>> cannot login as they do not have the key then they cannot exploit the
>> >>> vulnerability.
>> >>>
>> >>> If someone manages to crack the key and login then the vulnerability
>> >>> is the least of my worries I think.
>> >>>
>> >>> Colin
>> >>>
>> >>
>> >> As far as ssh goes, that is correct, your attack surface there is pretty
>> >> small, but you have to be careful about anything else, such as web cgi
>> >> scripts, or even a default install of Apache, which can try to fork a
>> >> process with bash.  Also, dhcpclient is vulnerable, if the computer ever
>> >> tries to get a dhcp address from a a bad dhcp server.
>> >>
>> >>
>> >
>> > But dhcp server is usually on a router. I think the hacker would have to
>> > hack the router to plant a bad dhcp server there. But then any Linux-based
>> > router is also vulnerable to the shellshock bash bug.
>>
>> Is that not only true if the router has bash installed? As I asked in
>> a previous message how does one know whether one's router may be
>> vulnerable?
>
> Actually, no. What would happen is that a 'hacked' router's dhcp server would
> send DHCP options as environment variables and the bash on the DHCP *client*
> would then execute the code in the specially crafter environment variables...
> The *dhcp* server (the router) does not even need bash installed to do this.

OK, understood, it does not need the router to be vulnerable to
Shellshock, but it does require the router to be hacked.  I think if
one has a hacked router then one is already in big trouble.

If someone found a similar vulnerability in busybox then we would,
presumably, have to throw out many of our old routers that are not
supported any more.

Colin

More information about the ubuntu-users mailing list