Is DD-WRT affected by the shell shock bug?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions
Goto page 1, 2  Next
Author Message
Tarcas
DD-WRT Novice


Joined: 07 Jul 2012
Posts: 7
Location: St. Louis, MO

PostPosted: Thu Sep 25, 2014 15:39    Post subject: Is DD-WRT affected by the shell shock bug? Reply with quote
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/

I've been trying to test my router via remote code exploit, but I'm really not sure what I'm looking for, as I don't have a known-bad CGI script to see the output of a successful exploit. Has anybody been able to confirm whether DD-WRT is vulnerable or not, and if so what version(s) and how is it properly tested?
If it is exploitable, when can we expect a build with the patch?

If someone can let me know how to test a given CGI script and what to look for, I can make a script to go through and verify each of the URLs available on a router.

-Tarcas

_________________
"A person who never made a mistake never tried anything new." - Albert Einstein
Sponsor
Newbrain
DD-WRT User


Joined: 28 Dec 2013
Posts: 151

PostPosted: Thu Sep 25, 2014 15:58    Post subject: Reply with quote
It will not work on your router, it is the Bourne Again Shell (BASH) that is affected, DD-WRT use BusyBox. Write:

echo $SHELL

Then run
/bin/sh --version

---Edit:
Do you want to test the router or something behind it?
Tarcas
DD-WRT Novice


Joined: 07 Jul 2012
Posts: 7
Location: St. Louis, MO

PostPosted: Thu Sep 25, 2014 16:10    Post subject: Reply with quote
Thanks. After SSHing in, I have confirmed what you said. I was wanting to test the router itself. Most of what is behind mine, I can update easily. Plus it's hiding behind NAT so it SHOULD be safe from the outside world.

Code:
root@router:/tmp/var# echo $SHELL
/bin/sh
root@router:/tmp/var# ls -al /bin/sh
lrwxrwxrwx    1 root     root             7 Jun  7 19:51 /bin/sh -> busybox
root@router:/opt# /bin/sh --version


BusyBox v1.21.0 (2014-06-07 21:49:50 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root@router:/tmp/var# ls -al /bin/bash
lrwxrwxrwx    1 root     root            13 Jun  7 19:51 /bin/bash -> /opt/bin/bash
root@router:/tmp/var# cd /opt/bin
-sh: cd: can't cd to /opt/bin
root@router:/tmp/var# cd /opt
root@router:/opt# ls
root@router:/opt# /bin/bash
-sh: /bin/bash: not found
root@router:/opt# bash
-sh: bash: not found
root@router:/opt# which bash
root@router:/opt# which sh
/bin/sh

_________________
"A person who never made a mistake never tried anything new." - Albert Einstein
Newbrain
DD-WRT User


Joined: 28 Dec 2013
Posts: 151

PostPosted: Thu Sep 25, 2014 16:17    Post subject: Reply with quote
As long as those systems are protected behind IPTables in DD-WRT you should be safe(ish) Smile

Sorry if my first post sounded a bit harsh Embarassed
Have been fighting to get on top of this on several internet connected systems, so BUSY!


/Newbrain
blaser
DD-WRT User


Joined: 16 Jul 2006
Posts: 456

PostPosted: Thu Sep 25, 2014 17:19    Post subject: Reply with quote
This is correct if you are not using optware, optware use bash
_________________
Asus RT-AC68U 38100M
Newbrain
DD-WRT User


Joined: 28 Dec 2013
Posts: 151

PostPosted: Thu Sep 25, 2014 19:21    Post subject: Reply with quote
blaser wrote:
This is correct if you are not using optware, optware use bash


Good point, thanks!
Just goes to show how complex the mitigation and remediation of this is going to be..

/Newbrain
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4225
Location: Germany

PostPosted: Thu Sep 25, 2014 19:55    Post subject: Reply with quote
blaser wrote:
This is correct if you are not using optware, optware use bash


This is not correct. As you first need a service that is exposed to wan and this service needs to make use of bash.
Thus installing bash through optware causes no risk unless you run any app that is directly accessible through wan and utilizes bash.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
blaser
DD-WRT User


Joined: 16 Jul 2006
Posts: 456

PostPosted: Thu Sep 25, 2014 20:57    Post subject: Reply with quote
Correct, you need someone to access it and run the exploit, but better be safe if we can replace it
_________________
Asus RT-AC68U 38100M
can't flash
DD-WRT User


Joined: 14 Jan 2010
Posts: 71
Location: Michigan, USA

PostPosted: Fri Sep 26, 2014 5:37    Post subject: Reply with quote
blaser wrote:
Correct, you need someone to access it and run the exploit, but better be safe if we can replace it


Is there a way to mitigate this in OTRW2? I've confirmed that that's running Bash v 3.2.49, which is affected by Shellshock. However, having tried to import the patch from: https://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-052, I am unable to get it to work. What I see is the following:
Code:
root@ddwrt:/optware/tmp# patch -p0 <./bash32-052.txt
patch: invalid patch
patch: invalid patch
patch: invalid patch
patch: invalid patch
patch: invalid patch
patch: invalid patch
patch: invalid patch
patch: invalid patch
patch: invalid patch
patch: invalid patch
Segmentation fault
root@ddwrt:/optware/tmp#


Also, attempting to upgrade bash via
Code:
ipkg-opt upgrade
also does not work because that version remains 3.2.49. Anyone have any suggestions or success here?
_________________
Linksys E3000
DD-WRT v3.0-r36410 mega
Release: 07/28/2018 (SVN revision: 36410)
dd-wrt.v24-36410_NEWD-2_K3.x_mega-e3000.bin
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4225
Location: Germany

PostPosted: Fri Sep 26, 2014 5:56    Post subject: Reply with quote
blaser wrote:
Correct, you need someone to access it and run the exploit, but better be safe if we can replace it


I think you are confusing people. If someone already has access to the router he does not need to run an exploit.

The only way the shellshock bug could be exploited is, that a user installs an app, e.g. apache that uses cgi to call bash and is available from wan.

There are only a handful apps in optware which could cause a problem and most of them won't be used on the older routers as, they are much too weak to run these e.g. apache and they have to be configured in a certain way and have to be exposed to wan. I think if anyone managed have such a thing in place he knows what he is doing and should be able to reconfigure it in order to not use bash or update it.

All standard dd-wrt apps, that come with the firmware don't use bash but busybox shell and thus not affected, even if you install bash. Thus if you have bash installed and activated lighttpd on newer build it is no problem. Same for webif or other apps that come with the firmware.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
Newbrain
DD-WRT User


Joined: 28 Dec 2013
Posts: 151

PostPosted: Fri Sep 26, 2014 8:22    Post subject: Reply with quote
There's a lot of FUD around this ShellShock/BashBug thing. So while agreeing that we shouldn't panic, understanding how to patch and test + showing how it can be done should certainly be commended (like the poster tried). That would also help someone running Apache on OptWare patch it without having to go through all the hassle him/herself.

Having said that, I LOVE what you Guys are doing, please keep up the fantastic Work.

/Newbrain

<Kong> wrote:
blaser wrote:
Correct, you need someone to access it and run the exploit, but better be safe if we can replace it


I think you are confusing people. If someone already has access to the router he does not need to run an exploit.

The only way the shellshock bug could be exploited is, that a user installs an app, e.g. apache that uses cgi to call bash and is available from wan.

There are only a handful apps in optware which could cause a problem and most of them won't be used on the older routers as, they are much too weak to run these e.g. apache and they have to be configured in a certain way and have to be exposed to wan. I think if anyone managed have such a thing in place he knows what he is doing and should be able to reconfigure it in order to not use bash or update it.

All standard dd-wrt apps, that come with the firmware don't use bash but busybox shell and thus not affected, even if you install bash. Thus if you have bash installed and activated lighttpd on newer build it is no problem. Same for webif or other apps that come with the firmware.
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1545
Location: Zwolle

PostPosted: Sat Sep 27, 2014 1:31    Post subject: Reply with quote
Optware bash has been updated, but it still reports itself as:
Code:
GNU bash, version 3.2.49(1)-release (mipsel-unknown-linux-gnu)
Copyright (C) 2007 Free Software Foundation, Inc.

_________________
2 times RT-AC56U running 33772 with entware-ng, Yamon 3 (SFE disabled).

Asus RT-N16 running Merlin LTS fork RT-N16_3.0.0.4_374.43_2-25E8j9527.trx with entware-ng.

2 times Asus RT-N16 running dd-wrt.v24-33772_NEWD-2_K3.x_big.bin with entware-ng

E4200 V1 running dd-wrt.v24-33772_NEWD-2_K3.x_mega-e3000.bin

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running dd-wrt.v24-33772_NEWD-2_K3.x_mega-e3000.bin (bridged with LAN cable)


kevinkeane
DD-WRT Novice


Joined: 27 Sep 2014
Posts: 2

PostPosted: Sat Sep 27, 2014 3:54    Post subject: Reply with quote
slobodan wrote:
Optware bash has been updated, but it still reports itself as:
Code:
GNU bash, version 3.2.49(1)-release (mipsel-unknown-linux-gnu)
Copyright (C) 2007 Free Software Foundation, Inc.


More importantly, it still fails the vulnerability test RedHat published:

Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


returns

Code:
vulnerable
this is a test


Fixed versions of Bash will instead return a warning:

Code:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test


BTW, even if the shell returned the warning, that's not a guarantee it isn't vulnerable; the initial fix for it only addressed half the problem. For RH Enterprise Linux, RedHat published a second update for bash to address this. Obviously doesn't help us with DD-WRT!
can't flash
DD-WRT User


Joined: 14 Jan 2010
Posts: 71
Location: Michigan, USA

PostPosted: Sun Sep 28, 2014 19:11    Post subject: Reply with quote
kevinkeane wrote:
slobodan wrote:
Optware bash has been updated, but it still reports itself as:
Code:
GNU bash, version 3.2.49(1)-release (mipsel-unknown-linux-gnu)
Copyright (C) 2007 Free Software Foundation, Inc.


More importantly, it still fails the vulnerability test RedHat published:

Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


returns

Code:
vulnerable
this is a test


Fixed versions of Bash will instead return a warning:

Code:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test


BTW, even if the shell returned the warning, that's not a guarantee it isn't vulnerable; the initial fix for it only addressed half the problem. For RH Enterprise Linux, RedHat published a second update for bash to address this. Obviously doesn't help us with DD-WRT!


Confirmed this just now.
Code:
ipkg-opt upgrade bash
returned
Code:
Upgrading bash on /opt/ from 3.2.49-1 to 3.2.52.1...
However, when running the problematic (){ :;} command, the apparent vulerability is still present and
Code:
bash -version
returns
Code:
GNU bash, version 3.2.49(1)-release
despite the upgrade.
_________________
Linksys E3000
DD-WRT v3.0-r36410 mega
Release: 07/28/2018 (SVN revision: 36410)
dd-wrt.v24-36410_NEWD-2_K3.x_mega-e3000.bin
Offal
DD-WRT Novice


Joined: 29 Jun 2011
Posts: 9

PostPosted: Tue Sep 30, 2014 2:39    Post subject: bash updates Reply with quote
No update yet.

root@-----:~# ipkg-opt upgrade
Nothing to be done
Successfully terminated.
root@-----:~# date
Mon Sep 29 21:38:24 UTC 2014
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum