[Tfug] Do we need a new bash?

Harry McGregor micros at osef.org
Thu Sep 25 23:42:43 MST 2014


Hi,

This vulnerability really does NOT apply to "things".

No embedded dev will waste flash memory space using DASH let alone BASH.

Many/most Debian and Ubuntu environments use DASH as /bin/sh and are NOT 
remotely vulnerable to this via Apache, etc, even though BASH is still 
installed.

Almost every embedded linux device on the planet uses busybox to provide 
/bin/sh, and most other GNUish type utils.

dd-wrt example:

root at DD-WRT:~# which sh
/bin/sh
root at DD-WRT:~# ls -l /bin/sh
lrwxrwxrwx    1 root     root             7 Dec  8  2011 /bin/sh -> busybox
root at DD-WRT:~# ls -l /bin/busybox
-rwxr-xr-x    1 root     root        416355 Dec  8  2011 /bin/busybox

Is this a major vulnerability, sure, will there be a very long tail on 
it due to some embedded devices having it exposed, sure, will it be a 
huge issue in the embedded world, no.

The worst thing from this will be the same as heartbleed, every 
non-technical manager type jumping up and down that this has to get 
fixed, even to the point of shutting systems down until they can get 
fixed... when the systems are test/internal systems that can only be 
reached by going through bastion hosts on the internal network...

If someone is exploiting this from within a very limited access part of 
your network, you have bigger problems.

-Harry

On 09/25/2014 07:35 PM, erich wrote:
> You know what this amounts to?
>      Any platform that can run commands from a prompt and is listening 
> on some port
> is vulnerable.  a coffemaker could have lots of serial inputs 
> (/dev/ttyxx) and
> be listening on ports 21, 23, 80 that would make it a sitting duck. 
> right?
>      Oh, and yes, its running a shell.
> Erich
>
>
> JD Rogers wrote:
>> updates have been coming through..
>> You can check your bash with:
>> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>>
>> and update with your package manager if needed.. I would bet most 
>> dists have released the fixes by now. The coffee maker is another 
>> matter. So is my WD nas.
>>
>> On Thu, Sep 25, 2014 at 1:15 PM, erich <erich1 at copper.net 
>> <mailto:erich1 at copper.net>> wrote:
>>
>>     They call it,
>>           "Shellshock" Yesterday I read that it affects internet
>>     "things" such
>>     as a coffeemaker or oven attached to the internet. Today it's 
>> anything
>>     with a bash shell. Bash is popular, but it's not the only shell. Why
>>     wouldn't other shells be vulnerable?
>>             I'd send internet links to show what I was talking about,
>>     but our
>>     listserve kicks them out. (We're pretty secure. Aren't we?)
>>
>>     Erich
>>
>>     _______________________________________________
>>     Tucson Free Unix Group - tfug at tfug.org <mailto:tfug at tfug.org>
>>     Subscription Options:
>>     http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Tucson Free Unix Group - tfug at tfug.org
>> Subscription Options:
>> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org





More information about the tfug mailing list