Are our WiFI routers and rooftop radios affected by the BashShellshock vulnerability?

Discussion in 'Linux Networking' started by Ger Robertson, Sep 26, 2014.

  1. Anyone know how we can tell if our WiFI routers and rooftop radios are
    affected by the Bash Shellshock vulnerability?
     
    Ger Robertson, Sep 26, 2014
    #1
    1. Advertisements

  2. Ger Robertson wrote this copyrighted missive and expects royalties:
    Shell into it and see!
     
    Chris Ahlstrom, Sep 26, 2014
    #2
    1. Advertisements

  3. Ger Robertson

    John Hasler Guest

    Anyone know how we can tell if our WiFI routers and rooftop radios are
    They almost certainly aren't. Bash is unlikely to be installed on
    embedded systems: too large. They probably use Busybox. Besides, if
    anyone on the WAN can connect to your router at all it's already broken.
    Of course, if you are running the manufacturer's firmware it probably
    has a dozen gaping holes built in anyway...
     
    John Hasler, Sep 26, 2014
    #3
  4. Ger Robertson

    Caver1 Guest

    Ubuntu with bash scripts is used for many embedded appliances and they
    are vulnerable.
     
    Caver1, Sep 26, 2014
    #4
  5. Ger Robertson

    Caver1 Guest

    Caver1, Sep 26, 2014
    #5
  6. Ger Robertson

    Java Jive Guest

    "The critical Shellshock flaw affects many Linux and Apple systems —
    here’s what you need to know"

    But actually tells you nothing really useful at all, just gives as
    many scary quotes from as many security experts as he could find when
    writing up his useless FUD.

    If he was really concerned, he would have found out enough about how
    best to fix it temporarily until security updates come along.

    --
    =========================================================
    Please always reply to ng as the email in this post's
    header does not exist. Or use a contact address at:
    http://www.macfh.co.uk/JavaJive/JavaJive.html
    http://www.macfh.co.uk/Macfarlane/Macfarlane.html
     
    Java Jive, Sep 26, 2014
    #6
  7. Ger Robertson

    Shadow Guest

    Telnet (or Putty) into it and
    sh
    will tell you what shell it runs.
    []'s
     
    Shadow, Sep 26, 2014
    #7
  8. And our toasters! I now know whom to blame when my toast burns tomorrow.
     
    William Unruh, Sep 27, 2014
    #8
  9. No it will tell you what shell it runs as a replacement for sh. It may
    have many shells installed.
    And once you have telneted in, you already have shell access so do not
    need shell access.
    The question is whether there are any externally listening programs
    which use bash and which can be fed "carefully crafted" environment
    variables from outside.
     
    William Unruh, Sep 27, 2014
    #9
  10. Ger Robertson

    Shadow Guest

    #sh

    BusyBox v1.00 (2012.02.06-00:34+0000) Built-in shell (msh)
    Enter 'help' for a list of built-in commands.

    #cat /etc/services

    Aw, c'mon, it's a start.
    []'s
     
    Shadow, Sep 27, 2014
    #10
  11. Shadow wrote, on Fri, 26 Sep 2014 18:16:30 -0300:
    How do you telnet into your router?
    It just hung when I tried it.

    $ telnet router
    Trying 192.168.1.1...
    Connected to router.
    Escape character is '^]'.
     
    Ger Robertson, Sep 27, 2014
    #11
  12. Ger Robertson

    Wildman Guest

    To find out what the default shell is, enter this...
    echo $SHELL
    If it is bash and there are other shells installed, you can
    change the default shell.
    chsh -s /bin/dash
    or
    chsh -s /bin/sh
    or whatever.
     
    Wildman, Sep 27, 2014
    #12
  13. Different default. This is the default for that particular user-- the
    shell that is opened up on a terminal when the user logs in. The
    default I was talking about is the default that the system uses in
    general- it is usually called sh, but most systems have /bin/sh pointing
    to some other shell which also has the same commands as the classic sh
    shell (such as bash). Writers expect sh to comply with certain standards
    so for example /bin/tcsh would not be a good thing for /bin/sh to point
    to because thestructure of tcsh is very different from the old sh.
    That will change your own particular shell that is brought up when you
    log in. Actually the latter will probably give you bash anyway, since
    /bin/sh is often a link to /bin/bash.
     
    William Unruh, Sep 27, 2014
    #13
  14. Ger Robertson

    Shadow Guest

    Maybe you disabled telnet access in the GUI, or it could be
    "off" by default ?
    Try configuring via GUI first. Or maybe it does not allow
    access via wireless, like mine, I need an Ethernet connection to login
    as admin.
    And experiment with PuTTY. Nice little freeware utility

    http://www.chiark.greenend.org.uk/~sgtatham/putty/

    Might be in your repos if you run Linux.
    []'s
     
    Shadow, Sep 27, 2014
    #14
  15. Ger Robertson

    Shadow Guest

    Do you know any cheapo home routers (D-Link, Netgear, etc)
    that actually use bash, and not BusyBox, or some other compact
    "do-all" binary ?
    I know the expensive ones might use it, and the shell on my
    homemade CD-Booted router/firewall running on an old AMD K6 was bash,
    but bash is a bit of an overkill for a cheap home router.
    []'s
     
    Shadow, Sep 27, 2014
    #15
  16. Ger Robertson

    Wildman Guest

    On a Linux/Unix system that is true. I don't think routers
    support multiple users or do they?
    If routers support only one user, that would not be an issue.
    Even so, it is possible to change the default shell for all
    users.
    On my system, SolydX, sh points to dash. The same is true
    for Mint, Ubuntu and MX-14. Don't know about any others.
     
    Wildman, Sep 27, 2014
    #16
  17. Ger Robertson

    Ant Guest

    I thought you meant Cylons at first. :p
    --
    "For every 1 person on earth there are 1 million ants." --Factoid for
    the video of Adam Ant's "Goody Two Shoes" Pop Up Video
    /\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
    / /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
    | |o o| |
    \ _ / If crediting, then use Ant nickname and AQFL URL/link.
    ( ) If e-mailing, then axe ANT from its address if needed.
    Ant is currently not listening to any songs on this computer.
     
    Ant, Sep 27, 2014
    #17
  18. Ger Robertson

    Caver1 Guest


    I agree just pointed this out to show that routers could be affected.
     
    Caver1, Sep 27, 2014
    #18
  19. Then there are the TV sets (both of mine run Linux, but have no means of
    connecting to the Internet), and both my blu-ray players run Linux (and
    they do have ethernet ports).

    Michael
     
    Michael Black, Sep 29, 2014
    #19
  20. Ger Robertson

    alexd Guest

    How many embedded appliances are running Ubuntu, again?
     
    alexd, Oct 3, 2014
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.