Shell shock bash bug - are our routers vulnerable?

coople · ‎15-04-2014

See http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
thanks

Gus · ‎31-07-2007

Want a video of Penguins eating crow for a change

FTTP 500 regrade from Tues 28th November

ejs · ‎10-06-2010

Routers almost always contain busybox rather than the GNU bash software itself.

bobpullen · ‎04-04-2007

No, they're not.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

coople · ‎15-04-2014

Thanks Bob

Townman · ‎22-08-2007

I rather seem to recall smug anti-Microsoft faces claiming that *nix is immune to virus attacks!

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

HairyMcbiker · ‎16-02-2009

This is NOT a virus as such! just a bug ;-]

Townman · ‎22-08-2007

Fair point... until someone writes a bit of self perpetuating code which exploits the "bug"

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

HairyMcbiker · ‎16-02-2009

But the vast majority of things that used it were written in the 80's, most systems don't use bash scripts for web pages anymore, which is where it is exploited. Why use a bash script when a perl or ruby script is more likely now. Also it still ONLY runs with the users privileges, and most web servers have zero permissions for scripts. So it could write to the local folder but that is about it.

krumike · ‎07-06-2013

After seeing that the US has rated shell shock as "10 out of 10 from a severity point of view" (ref: http://www.bbc.co.uk/news/technology-29375636 ) I decided to look for announcements from Plusnet.
Couldn't find any. Looked through support pages. Service status announcements. Twitter feeds. Community blog tags (announcements, incident reports, industry news). And finally searched the forums. Found a thread which was locked with a comment from the forum moderator "locked as its already covered here..." http://community.plus.net/forum/index.php/topic,132240.0.html
... which brought me to this thread. With single official reply "No, they're not."

Is that it? Or have I missed something more detailed in my search?
Despite being glad my plusnet router is not vulnerable, given the global news coverage of this extraordinary vulnerability I am shocked that this is not offered a fuller explanation and given more prominence in an easier to find location. Surely Plusnet customers deserve to know that they are safe from this vulnerability.
There. That's my rant over.
PS. I'm happy really. Just find it incredible I had to really route around (pun intended) to get the answer.

HairyMcbiker · ‎16-02-2009

The router doesn't have bash on it by default, so no they are not vulnerable.
In fact it doesn't really even have a shell as such just a limited one.

ejs · ‎10-06-2010

The technicolor firmware does contain busybox which provides the shell and most of the standard command line programs, like any other router. There's no way to access the shell, or if there is a way, it's not publicised. Although it wouldn't be much use anyway, since the vast majority of the technicolor firmware functions are contained in a single large program which must always be running.

kjpetrie · ‎19-12-2010

Glad to know the routers don't run bash.
Actually, I think 10 out of 10 is a bit extreme. To exploit this flaw a hacker would need the website programmer to pass input direct to a shell, and that's just bad programming. No one should ever use input for anything without checking it matches the expected pattern for input, and I would never want to pass input to a shell because the shell is so powerful it would be madness to do that. Also, if the input is passed to the shell, I'm not sure what this bug actually adds. The shell is designed to process commands passed to it, so why would we need this convoluted way of doing it? If I have access to bash, I can simply write commands without going through this process. If I haven't, I can't use it.
So I'm really unclear as to where the new danger is here. This just looks like a curious bug to me. Nothing I have read shows how it could actually be used to gain access a person hasn't already got.

krumike · ‎07-06-2013

Quote from: kjpetrie
So I'm really unclear as to where the new danger is here. This just looks like a curious bug to me. Nothing I have read shows how it could actually be used to gain access a person hasn't already got.

I'm certainly no techie in this field... but I've seen other forums link to http://en.wikipedia.org/wiki/Shellshock_(software_bug)
Does it help? It seems to be kept up-to-date with developments. (The usual wikipedia caveat applies)

TORPC · ‎08-12-2013

For some reason the forum omits the ) from the end of the link
Here it is corrected
http://en.wikipedia.org/wiki/Shellshock_(software_bug)
dick:quote