cancel
Showing results for 
Search instead for 
Did you mean: 

Shell shock bash bug - are our routers vulnerable?

coople
Grafter
Posts: 42
Registered: 15-04-2014

Shell shock bash bug - are our routers vulnerable?

17 REPLIES
Community Veteran
Posts: 3,187
Thanks: 20
Fixes: 2
Registered: 31-07-2007

Re: Shell shock bash bug - are our routers vulnerable?

Want a video of Penguins eating crow for a change  Roll eyes
Unvalued customer since 2001 funding cheap internet for others / DSL/Fibre house move 24 month regrade from 8th May 2017
Community Veteran
Posts: 5,094
Thanks: 454
Fixes: 17
Registered: 10-06-2010

Re: Shell shock bash bug - are our routers vulnerable?

Routers almost always contain busybox rather than the GNU bash software itself.
Community Gaffer
Community Gaffer
Posts: 13,224
Thanks: 966
Fixes: 81
Registered: 04-04-2007

Re: Shell shock bash bug - are our routers vulnerable?

No, they're not.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

coople
Grafter
Posts: 42
Registered: 15-04-2014

Re: Shell shock bash bug - are our routers vulnerable?

Thanks Bob
Superuser
Superuser
Posts: 11,550
Thanks: 2,966
Fixes: 22
Registered: 22-08-2007

Re: Shell shock bash bug - are our routers vulnerable?

I rather seem to recall smug anti-Microsoft faces claiming that *nix is immune to virus attacks!  Cheesy
Community Veteran
Posts: 6,773
Thanks: 257
Fixes: 20
Registered: 16-02-2009

Re: Shell shock bash bug - are our routers vulnerable?

This is NOT a virus as such! just a bug ;-]
Superuser
Superuser
Posts: 11,550
Thanks: 2,966
Fixes: 22
Registered: 22-08-2007

Re: Shell shock bash bug - are our routers vulnerable?

Fair point... until someone writes a bit of self perpetuating code which exploits the "bug"  Wink
Community Veteran
Posts: 6,773
Thanks: 257
Fixes: 20
Registered: 16-02-2009

Re: Shell shock bash bug - are our routers vulnerable?

But the vast majority of things that used it were written in the 80's, most systems don't use bash scripts for web pages anymore, which is where it is exploited. Why use a bash script when a perl or ruby script is more likely now. Also it still ONLY runs with the users privileges, and most web servers have zero permissions for scripts. So it could write to the local folder but that is about it.
krumike
Hooked
Posts: 5
Registered: 07-06-2013

Re: Shell shock bash bug - are our routers vulnerable?

After seeing that the US has rated shell shock as "10 out of 10 from a severity point of view" (ref: http://www.bbc.co.uk/news/technology-29375636 ) I decided to look for announcements from Plusnet.
Couldn't find any. Looked through support pages. Service status announcements. Twitter feeds. Community blog tags (announcements, incident reports, industry news). And finally searched the forums. Found a thread which was locked with a comment from the forum moderator "locked as its already covered here..." http://community.plus.net/forum/index.php/topic,132240.0.html
... which brought me to this thread. With single official reply "No, they're not."  Embarrassed Is that it? Or have I missed something more detailed in my search?
Despite being glad my plusnet router is not vulnerable, given the global news coverage of this extraordinary vulnerability I am shocked that this is not offered a fuller explanation and given more prominence in an easier to find location. Surely Plusnet customers deserve to know that they are safe from this vulnerability.
There. That's my rant over.
PS. I'm happy really. Just find it incredible I had to really route around (pun intended) to get the answer.  Crazy
Community Veteran
Posts: 6,773
Thanks: 257
Fixes: 20
Registered: 16-02-2009

Re: Shell shock bash bug - are our routers vulnerable?

The router doesn't have bash on it by default, so no they are not vulnerable.
In fact it doesn't really even have a shell as such just a limited one.
Community Veteran
Posts: 5,094
Thanks: 454
Fixes: 17
Registered: 10-06-2010

Re: Shell shock bash bug - are our routers vulnerable?

The technicolor firmware does contain busybox which provides the shell and most of the standard command line programs, like any other router. There's no way to access the shell, or if there is a way, it's not publicised. Although it wouldn't be much use anyway, since the vast majority of the technicolor firmware functions are contained in a single large program which must always be running.
kjpetrie
Rising Star
Posts: 124
Thanks: 14
Fixes: 1
Registered: 19-12-2010

Re: Shell shock bash bug - are our routers vulnerable?

Glad to know the routers don't run bash.
Actually, I think 10 out of 10 is a bit extreme. To exploit this flaw a hacker would need the website programmer to pass input direct to a shell, and that's just bad programming. No one should ever use input for anything without checking it matches the expected pattern for input, and I would never want to pass input to a shell because the shell is so powerful it would be madness to do that. Also, if the input is passed to the shell, I'm not sure what this bug actually adds. The shell is designed to process commands passed to it, so why would we need this convoluted way of doing it? If I have access to bash, I can simply write commands without going through this process. If I haven't, I can't use it.
So I'm really unclear as to where the new danger is here. This just looks like a curious bug to me. Nothing I have read shows how it could actually be used to gain access a person hasn't already got.
krumike
Hooked
Posts: 5
Registered: 07-06-2013

Re: Shell shock bash bug - are our routers vulnerable?

Quote from: kjpetrie
So I'm really unclear as to where the new danger is here. This just looks like a curious bug to me. Nothing I have read shows how it could actually be used to gain access a person hasn't already got.

I'm certainly no techie in this field... but I've seen other forums link to http://en.wikipedia.org/wiki/Shellshock_(software_bug)
Does it help? It seems to be kept up-to-date with developments. (The usual wikipedia caveat applies)
TORPC
Grafter
Posts: 5,163
Registered: 08-12-2013

Re: Shell shock bash bug - are our routers vulnerable?

For some reason the forum omits the ) from the end of the link
Here it is corrected
http://en.wikipedia.org/wiki/Shellshock_(software_bug)
dick:quote