I've been trying to test my router via remote code exploit, but I'm really not sure what I'm looking for, as I don't have a known-bad CGI script to see the output of a successful exploit. Has anybody been able to confirm whether DD-WRT is vulnerable or not, and if so what version(s) and how is it properly tested?
If it is exploitable, when can we expect a build with the patch?
If someone can let me know how to test a given CGI script and what to look for, I can make a script to go through and verify each of the URLs available on a router.
-Tarcas _________________ "A person who never made a mistake never tried anything new." - Albert Einstein
Joined: 07 Jul 2012 Posts: 7 Location: St. Louis, MO
Posted: Thu Sep 25, 2014 16:10 Post subject:
Thanks. After SSHing in, I have confirmed what you said. I was wanting to test the router itself. Most of what is behind mine, I can update easily. Plus it's hiding behind NAT so it SHOULD be safe from the outside world.
BusyBox v1.21.0 (2014-06-07 21:49:50 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
root@router:/tmp/var# ls -al /bin/bash
lrwxrwxrwx 1 root root 13 Jun 7 19:51 /bin/bash -> /opt/bin/bash
root@router:/tmp/var# cd /opt/bin
-sh: cd: can't cd to /opt/bin
root@router:/tmp/var# cd /opt
root@router:/opt# ls
root@router:/opt# /bin/bash
-sh: /bin/bash: not found
root@router:/opt# bash
-sh: bash: not found
root@router:/opt# which bash
root@router:/opt# which sh
/bin/sh
_________________ "A person who never made a mistake never tried anything new." - Albert Einstein
This is correct if you are not using optware, optware use bash
This is not correct. As you first need a service that is exposed to wan and this service needs to make use of bash.
Thus installing bash through optware causes no risk unless you run any app that is directly accessible through wan and utilizes bash. _________________ KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
Correct, you need someone to access it and run the exploit, but better be safe if we can replace it _________________ Netgear R9000 main router
RAX80 as AP
Joined: 14 Jan 2010 Posts: 73 Location: Flint, Michigan
Posted: Fri Sep 26, 2014 5:37 Post subject:
blaser wrote:
Correct, you need someone to access it and run the exploit, but better be safe if we can replace it
Is there a way to mitigate this in OTRW2? I've confirmed that that's running Bash v 3.2.49, which is affected by Shellshock. However, having tried to import the patch from: https://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-052, I am unable to get it to work. What I see is the following:
also does not work because that version remains 3.2.49. Anyone have any suggestions or success here? _________________ Netgear R7800
DD-WRT v3.0-r58389 std
Release: 09/20/2024 (SVN revision: 58389)
Correct, you need someone to access it and run the exploit, but better be safe if we can replace it
I think you are confusing people. If someone already has access to the router he does not need to run an exploit.
The only way the shellshock bug could be exploited is, that a user installs an app, e.g. apache that uses cgi to call bash and is available from wan.
There are only a handful apps in optware which could cause a problem and most of them won't be used on the older routers as, they are much too weak to run these e.g. apache and they have to be configured in a certain way and have to be exposed to wan. I think if anyone managed have such a thing in place he knows what he is doing and should be able to reconfigure it in order to not use bash or update it.
All standard dd-wrt apps, that come with the firmware don't use bash but busybox shell and thus not affected, even if you install bash. Thus if you have bash installed and activated lighttpd on newer build it is no problem. Same for webif or other apps that come with the firmware. _________________ KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
There's a lot of FUD around this ShellShock/BashBug thing. So while agreeing that we shouldn't panic, understanding how to patch and test + showing how it can be done should certainly be commended (like the poster tried). That would also help someone running Apache on OptWare patch it without having to go through all the hassle him/herself.
Having said that, I LOVE what you Guys are doing, please keep up the fantastic Work.
/Newbrain
<Kong> wrote:
blaser wrote:
Correct, you need someone to access it and run the exploit, but better be safe if we can replace it
I think you are confusing people. If someone already has access to the router he does not need to run an exploit.
The only way the shellshock bug could be exploited is, that a user installs an app, e.g. apache that uses cgi to call bash and is available from wan.
There are only a handful apps in optware which could cause a problem and most of them won't be used on the older routers as, they are much too weak to run these e.g. apache and they have to be configured in a certain way and have to be exposed to wan. I think if anyone managed have such a thing in place he knows what he is doing and should be able to reconfigure it in order to not use bash or update it.
All standard dd-wrt apps, that come with the firmware don't use bash but busybox shell and thus not affected, even if you install bash. Thus if you have bash installed and activated lighttpd on newer build it is no problem. Same for webif or other apps that come with the firmware.
Optware bash has been updated, but it still reports itself as:
Code:
GNU bash, version 3.2.49(1)-release (mipsel-unknown-linux-gnu)
Copyright (C) 2007 Free Software Foundation, Inc.
More importantly, it still fails the vulnerability test RedHat published:
Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
returns
Code:
vulnerable
this is a test
Fixed versions of Bash will instead return a warning:
Code:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
BTW, even if the shell returned the warning, that's not a guarantee it isn't vulnerable; the initial fix for it only addressed half the problem. For RH Enterprise Linux, RedHat published a second update for bash to address this. Obviously doesn't help us with DD-WRT!
Joined: 14 Jan 2010 Posts: 73 Location: Flint, Michigan
Posted: Sun Sep 28, 2014 19:11 Post subject:
kevinkeane wrote:
slobodan wrote:
Optware bash has been updated, but it still reports itself as:
Code:
GNU bash, version 3.2.49(1)-release (mipsel-unknown-linux-gnu)
Copyright (C) 2007 Free Software Foundation, Inc.
More importantly, it still fails the vulnerability test RedHat published:
Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
returns
Code:
vulnerable
this is a test
Fixed versions of Bash will instead return a warning:
Code:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
BTW, even if the shell returned the warning, that's not a guarantee it isn't vulnerable; the initial fix for it only addressed half the problem. For RH Enterprise Linux, RedHat published a second update for bash to address this. Obviously doesn't help us with DD-WRT!
Confirmed this just now.
Code:
ipkg-opt upgrade bash
returned
Code:
Upgrading bash on /opt/ from 3.2.49-1 to 3.2.52.1...
However, when running the problematic (){ :;} command, the apparent vulerability is still present and
