• Are our WiFI routers and rooftop radios affected by the Bash Shellshoc

    From Ger Robertson@110:110/2002 to All on Fri Sep 26 05:44:50 2014
    Subject: Are our WiFI routers and rooftop radios affected by the Bash
    Shellshock vulnerability?

    Anyone know how we can tell if our WiFI routers and rooftop radios are affected by the Bash Shellshock vulnerability?

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: albasani.net (110:110/2002@linuxnet)
  • From Chris Ahlstrom@110:110/2002 to All on Fri Sep 26 09:53:32 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash
    Shellshock vulnerability?

    Ger Robertson wrote this copyrighted missive and expects royalties:

    Anyone know how we can tell if our WiFI routers and rooftop radios are affected by the Bash Shellshock vulnerability?

    Shell into it and see!

    --
    In Lowes Crossroads, Delaware, it is a violation of local law for any
    pilot or passenger to carry an ice cream cone in their pocket while
    either flying or waiting to board a plane.

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: None (110:110/2002@linuxnet)
  • From John Hasler@110:110/2002 to All on Fri Sep 26 12:51:04 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash Shellshock vulnerability?

    Anyone know how we can tell if our WiFI routers and rooftop radios are affected by the Bash Shellshock vulnerability?

    They almost certainly aren't. Bash is unlikely to be installed on
    embedded systems: too large. They probably use Busybox. Besides, if
    anyone on the WAN can connect to your router at all it's already broken.
    Of course, if you are running the manufacturer's firmware it probably
    has a dozen gaping holes built in anyway...
    --
    John Hasler
    jhasler@newsguy.com
    Dancing Horse Hill
    Elmwood, WI USA

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: Dancing Horse Hill (110:110/2002@linuxnet)
  • From Caver1@110:110/2002 to All on Fri Sep 26 16:26:17 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash
    Shellshock vulnerability?

    On 09/26/2014 08:51 AM, John Hasler wrote:
    Anyone know how we can tell if our WiFI routers and rooftop radios are
    affected by the Bash Shellshock vulnerability?

    They almost certainly aren't. Bash is unlikely to be installed on
    embedded systems: too large. They probably use Busybox. Besides, if
    anyone on the WAN can connect to your router at all it's already broken.
    Of course, if you are running the manufacturer's firmware it probably
    has a dozen gaping holes built in anyway...


    Ubuntu with bash scripts is used for many embedded appliances and they
    are vulnerable.

    --
    Caver1

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From Caver1@110:110/2002 to All on Fri Sep 26 16:40:03 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash
    Shellshock vulnerability?

    On 09/26/2014 12:26 PM, Caver1 wrote:
    On 09/26/2014 08:51 AM, John Hasler wrote:
    Anyone know how we can tell if our WiFI routers and rooftop radios are
    affected by the Bash Shellshock vulnerability?

    They almost certainly aren't. Bash is unlikely to be installed on
    embedded systems: too large. They probably use Busybox. Besides, if
    anyone on the WAN can connect to your router at all it's already broken.
    Of course, if you are running the manufacturer's firmware it probably
    has a dozen gaping holes built in anyway...


    Ubuntu with bash scripts is used for many embedded appliances and they
    are vulnerable.


    Here's a link,

    https://gigaom.com/2014/09/25/the-critical-shellshock-flaw-affects-many-linux-a nd-apple-systems-heres-what-you-need-to-know/

    --
    Caver1

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From Java Jive@1:0/0 to All on Fri Sep 26 19:00:55 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash Shellshock vulnerability?

    "The critical Shellshock flaw affects many Linux and Apple systems —
    here’s what you need to know"

    But actually tells you nothing really useful at all, just gives as
    many scary quotes from as many security experts as he could find when
    writing up his useless FUD.

    If he was really concerned, he would have found out enough about how
    best to fix it temporarily until security updates come along.

    On Fri, 26 Sep 2014 12:40:03 -0400, Caver1 <Caver1@inthemud.org>
    wrote:

    Here's a link,


    https://gigaom.com/2014/09/25/the-critical-shellshock-flaw-affects-many-linux-a nd-apple-systems-heres-what-you-need-to-know/
    --
    =========================================================
    Please always reply to ng as the email in this post's
    header does not exist. Or use a contact address at:
    http://www.macfh.co.uk/JavaJive/JavaJive.html
    http://www.macfh.co.uk/Macfarlane/Macfarlane.html

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: The Kofo System II BBS telnet://fido2.kofobb
  • From Shadow@110:110/2002 to All on Fri Sep 26 21:16:30 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash Shellshock vulnerability?

    On Fri, 26 Sep 2014 05:44:50 +0000 (UTC), Ger Robertson <something@something.invalid> wrote:

    Anyone know how we can tell if our WiFI routers and rooftop radios are >affected by the Bash Shellshock vulnerability?

    Telnet (or Putty) into it and
    sh
    will tell you what shell it runs.
    []'s
    --
    Don't be evil - Google 2004
    We have a new policy - Google 2012

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: NewsGuy - Unlimited Usenet $23.95 (110:110/2002@linuxnet)
  • From William Unruh@110:110/2002 to All on Fri Sep 26 23:14:14 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash
    Shellshock vulnerability?

    On 2014-09-26, Ger Robertson <something@something.invalid> wrote:
    Anyone know how we can tell if our WiFI routers and rooftop radios are affected by the Bash Shellshock vulnerability?

    And our toasters! I now know whom to blame when my toast burns tomorrow.


    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From William Unruh@110:110/2002 to All on Fri Sep 26 23:18:16 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash
    Shellshock vulnerability?

    On 2014-09-26, Shadow <Sh@dow.br> wrote:
    On Fri, 26 Sep 2014 05:44:50 +0000 (UTC), Ger Robertson
    <something@something.invalid> wrote:

    Anyone know how we can tell if our WiFI routers and rooftop radios are >>affected by the Bash Shellshock vulnerability?

    Telnet (or Putty) into it and
    sh
    will tell you what shell it runs.
    []'s

    No it will tell you what shell it runs as a replacement for sh. It may
    have many shells installed.
    And once you have telneted in, you already have shell access so do not
    need shell access.
    The question is whether there are any externally listening programs
    which use bash and which can be fed "carefully crafted" environment
    variables from outside.


    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From Shadow@110:110/2002 to All on Fri Sep 26 23:33:10 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash Shellshock vulnerability?

    On Fri, 26 Sep 2014 23:18:16 +0000 (UTC), William Unruh
    <unruh@invalid.ca> wrote:

    On 2014-09-26, Shadow <Sh@dow.br> wrote:
    On Fri, 26 Sep 2014 05:44:50 +0000 (UTC), Ger Robertson >><something@something.invalid> wrote:

    Anyone know how we can tell if our WiFI routers and rooftop radios are >>>affected by the Bash Shellshock vulnerability?

    Telnet (or Putty) into it and
    sh
    will tell you what shell it runs.
    []'s

    No it will tell you what shell it runs as a replacement for sh. It may
    have many shells installed.
    And once you have telneted in, you already have shell access so do not
    need shell access.
    The question is whether there are any externally listening programs
    which use bash and which can be fed "carefully crafted" environment
    variables from outside.

    #sh

    BusyBox v1.00 (2012.02.06-00:34+0000) Built-in shell (msh)
    Enter 'help' for a list of built-in commands.

    #cat /etc/services

    Aw, c'mon, it's a start.
    []'s



    --
    Don't be evil - Google 2004
    We have a new policy - Google 2012

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: NewsGuy - Unlimited Usenet $23.95 (110:110/2002@linuxnet)
  • From Ger Robertson@110:110/2002 to All on Sat Sep 27 00:06:56 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash
    Shellshock vulnerability?

    Shadow wrote, on Fri, 26 Sep 2014 18:16:30 -0300:

    Telnet (or Putty) into it and sh will tell you what shell it runs.
    []'s

    How do you telnet into your router?
    It just hung when I tried it.

    $ telnet router
    Trying 192.168.1.1...
    Connected to router.
    Escape character is '^]'.




    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: albasani.net (110:110/2002@linuxnet)
  • From Wildman@110:110/2002 to All on Sat Sep 27 00:10:52 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash
    Shellshock vulnerability?

    On Fri, 26 Sep 2014 20:33:10 -0300
    Shadow <Sh@dow.br> wrote:

    On Fri, 26 Sep 2014 23:18:16 +0000 (UTC), William Unruh
    <unruh@invalid.ca> wrote:

    On 2014-09-26, Shadow <Sh@dow.br> wrote:
    On Fri, 26 Sep 2014 05:44:50 +0000 (UTC), Ger Robertson >><something@something.invalid> wrote:

    Anyone know how we can tell if our WiFI routers and rooftop radios
    are affected by the Bash Shellshock vulnerability?

    Telnet (or Putty) into it and
    sh
    will tell you what shell it runs.
    []'s

    No it will tell you what shell it runs as a replacement for sh. It
    may have many shells installed.
    And once you have telneted in, you already have shell access so do
    not need shell access.
    The question is whether there are any externally listening programs
    which use bash and which can be fed "carefully crafted" environment >variables from outside.

    #sh

    BusyBox v1.00 (2012.02.06-00:34+0000) Built-in shell (msh)
    Enter 'help' for a list of built-in commands.

    #cat /etc/services

    Aw, c'mon, it's a start.
    []'s

    To find out what the default shell is, enter this...
    echo $SHELL
    If it is bash and there are other shells installed, you can
    change the default shell.
    chsh -s /bin/dash
    or
    chsh -s /bin/sh
    or whatever.

    --
    <Wildman> GNU/Linux user #557453
    The cow died so I don't need your bull!


    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: Wildman Productions (110:110/2002@linuxnet)
  • From William Unruh@110:110/2002 to All on Sat Sep 27 01:41:58 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash
    Shellshock vulnerability?

    On 2014-09-27, Wildman <best_lay@yahoo.com> wrote:
    On Fri, 26 Sep 2014 20:33:10 -0300
    Shadow <Sh@dow.br> wrote:

    On Fri, 26 Sep 2014 23:18:16 +0000 (UTC), William Unruh
    <unruh@invalid.ca> wrote:

    On 2014-09-26, Shadow <Sh@dow.br> wrote:
    On Fri, 26 Sep 2014 05:44:50 +0000 (UTC), Ger Robertson
    <something@something.invalid> wrote:

    Anyone know how we can tell if our WiFI routers and rooftop radios
    are affected by the Bash Shellshock vulnerability?

    Telnet (or Putty) into it and
    sh
    will tell you what shell it runs.
    []'s

    No it will tell you what shell it runs as a replacement for sh. It
    may have many shells installed.
    And once you have telneted in, you already have shell access so do
    not need shell access.
    The question is whether there are any externally listening programs
    which use bash and which can be fed "carefully crafted" environment
    variables from outside.

    #sh

    BusyBox v1.00 (2012.02.06-00:34+0000) Built-in shell (msh)
    Enter 'help' for a list of built-in commands.

    #cat /etc/services

    Aw, c'mon, it's a start.
    []'s

    To find out what the default shell is, enter this...
    echo $SHELL

    Different default. This is the default for that particular user-- the
    shell that is opened up on a terminal when the user logs in. The
    default I was talking about is the default that the system uses in
    general- it is usually called sh, but most systems have /bin/sh pointing
    to some other shell which also has the same commands as the classic sh
    shell (such as bash). Writers expect sh to comply with certain standards
    so for example /bin/tcsh would not be a good thing for /bin/sh to point
    to because thestructure of tcsh is very different from the old sh.

    If it is bash and there are other shells installed, you can
    change the default shell.
    chsh -s /bin/dash
    or
    chsh -s /bin/sh
    or whatever.

    That will change your own particular shell that is brought up when you
    log in. Actually the latter will probably give you bash anyway, since
    /bin/sh is often a link to /bin/bash.



    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From Shadow@110:110/2002 to All on Sat Sep 27 02:21:08 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash Shellshock vulnerability?

    On Sat, 27 Sep 2014 00:06:56 +0000 (UTC), Ger Robertson <something@something.invalid> wrote:

    Shadow wrote, on Fri, 26 Sep 2014 18:16:30 -0300:

    Telnet (or Putty) into it and sh will tell you what shell it runs.
    []'s

    How do you telnet into your router?
    It just hung when I tried it.

    $ telnet router
    Trying 192.168.1.1...
    Connected to router.
    Escape character is '^]'.



    Maybe you disabled telnet access in the GUI, or it could be
    "off" by default ?
    Try configuring via GUI first. Or maybe it does not allow
    access via wireless, like mine, I need an Ethernet connection to login
    as admin.
    And experiment with PuTTY. Nice little freeware utility

    http://www.chiark.greenend.org.uk/~sgtatham/putty/

    Might be in your repos if you run Linux.
    []'s
    --
    Don't be evil - Google 2004
    We have a new policy - Google 2012

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: NewsGuy - Unlimited Usenet $23.95 (110:110/2002@linuxnet)
  • From Shadow@110:110/2002 to All on Sat Sep 27 02:29:58 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash Shellshock vulnerability?

    On Sat, 27 Sep 2014 01:41:58 +0000 (UTC), William Unruh
    <unruh@invalid.ca> wrote:

    That will change your own particular shell that is brought up when you
    log in. Actually the latter will probably give you bash anyway, since
    /bin/sh is often a link to /bin/bash.

    Do you know any cheapo home routers (D-Link, Netgear, etc)
    that actually use bash, and not BusyBox, or some other compact
    "do-all" binary ?
    I know the expensive ones might use it, and the shell on my
    homemade CD-Booted router/firewall running on an old AMD K6 was bash,
    but bash is a bit of an overkill for a cheap home router.
    []'s
    --
    Don't be evil - Google 2004
    We have a new policy - Google 2012

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: NewsGuy - Unlimited Usenet $23.95 (110:110/2002@linuxnet)
  • From Wildman@110:110/2002 to All on Sat Sep 27 03:10:57 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash
    Shellshock vulnerability?

    On Sat, 27 Sep 2014 01:41:58 +0000 (UTC)
    William Unruh <unruh@invalid.ca> wrote:

    On 2014-09-27, Wildman <best_lay@yahoo.com> wrote:
    On Fri, 26 Sep 2014 20:33:10 -0300
    Shadow <Sh@dow.br> wrote:

    On Fri, 26 Sep 2014 23:18:16 +0000 (UTC), William Unruh
    <unruh@invalid.ca> wrote:

    On 2014-09-26, Shadow <Sh@dow.br> wrote:
    On Fri, 26 Sep 2014 05:44:50 +0000 (UTC), Ger Robertson
    <something@something.invalid> wrote:

    Anyone know how we can tell if our WiFI routers and rooftop
    radios are affected by the Bash Shellshock vulnerability?

    Telnet (or Putty) into it and
    sh
    will tell you what shell it runs.
    []'s

    No it will tell you what shell it runs as a replacement for sh. It
    may have many shells installed.
    And once you have telneted in, you already have shell access so do
    not need shell access.
    The question is whether there are any externally listening
    programs which use bash and which can be fed "carefully crafted"
    environment variables from outside.

    #sh

    BusyBox v1.00 (2012.02.06-00:34+0000) Built-in shell (msh)
    Enter 'help' for a list of built-in commands.

    #cat /etc/services

    Aw, c'mon, it's a start.
    []'s

    To find out what the default shell is, enter this...
    echo $SHELL

    Different default. This is the default for that particular user-- the
    shell that is opened up on a terminal when the user logs in. The
    default I was talking about is the default that the system uses in
    general- it is usually called sh, but most systems have /bin/sh
    pointing to some other shell which also has the same commands as the
    classic sh shell (such as bash). Writers expect sh to comply with
    certain standards so for example /bin/tcsh would not be a good thing
    for /bin/sh to point to because thestructure of tcsh is very
    different from the old sh.

    On a Linux/Unix system that is true. I don't think routers
    support multiple users or do they?

    If it is bash and there are other shells installed, you can
    change the default shell.
    chsh -s /bin/dash
    or
    chsh -s /bin/sh
    or whatever.

    That will change your own particular shell that is brought up when you
    log in.

    If routers support only one user, that would not be an issue.
    Even so, it is possible to change the default shell for all
    users.

    Actually the latter will probably give you bash anyway, since
    /bin/sh is often a link to /bin/bash.

    On my system, SolydX, sh points to dash. The same is true
    for Mint, Ubuntu and MX-14. Don't know about any others.

    --
    <Wildman> GNU/Linux user #557453
    The cow died so I don't need your bull!


    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: Wildman Productions (110:110/2002@linuxnet)
  • From Ant@1:0/0 to All on Sat Sep 27 05:47:27 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash
    Shellshock vulnerability?

    On 9/26/2014 4:14 PM PT, William Unruh typed:

    And our toasters! I now know whom to blame when my toast burns tomorrow.

    I thought you meant Cylons at first. :P
    --
    "For every 1 person on earth there are 1 million ants." --Factoid for
    the video of Adam Ant's "Goody Two Shoes" Pop Up Video
    /\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
    / /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
    | |o o| |
    \ _ / If crediting, then use Ant nickname and AQFL URL/link.
    ( ) If e-mailing, then axe ANT from its address if needed.
    Ant is currently not listening to any songs on this computer.

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: The Kofo System II BBS telnet://fido2.kofobb
  • From Neill Massello@1:0/0 to All on Sat Sep 27 08:23:28 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash Shellshock vulnerability?

    William Unruh <unruh@invalid.ca> wrote:

    I now know whom to blame when my toast burns tomorrow.

    All your toast are belong to us.


    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: The Kofo System II BBS telnet://fido2.kofobb
  • From Chris Ahlstrom@110:110/2002 to All on Sat Sep 27 10:42:03 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash
    Shellshock vulnerability?

    Wildman wrote this copyrighted missive and expects royalties:

    On Sat, 27 Sep 2014 01:41:58 +0000 (UTC)
    William Unruh <unruh@invalid.ca> wrote:


    To find out what the default shell is, enter this...
    echo $SHELL

    Different default. This is the default for that particular user-- the
    shell that is opened up on a terminal when the user logs in. The
    default I was talking about is the default that the system uses in
    general- it is usually called sh, but most systems have /bin/sh
    pointing to some other shell which also has the same commands as the
    classic sh shell (such as bash). Writers expect sh to comply with
    certain standards so for example /bin/tcsh would not be a good thing
    for /bin/sh to point to because thestructure of tcsh is very
    different from the old sh.

    On a Linux/Unix system that is true. I don't think routers
    support multiple users or do they?

    If it is bash and there are other shells installed, you can
    change the default shell.
    chsh -s /bin/dash
    or
    chsh -s /bin/sh
    or whatever.

    That will change your own particular shell that is brought up when you
    log in.

    If routers support only one user, that would not be an issue.
    Even so, it is possible to change the default shell for all
    users.

    Actually the latter will probably give you bash anyway, since
    /bin/sh is often a link to /bin/bash.

    On my system, SolydX, sh points to dash. The same is true
    for Mint, Ubuntu and MX-14. Don't know about any others.

    That's long been true for Debian, I believe. It is certainly true right
    now.

    --
    A man can have two, maybe three love affairs while he's married. After
    that it's cheating.
    -- Yves Montand

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: None (110:110/2002@linuxnet)
  • From Shadow@110:110/2002 to All on Sat Sep 27 11:35:43 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash Shellshock vulnerability?

    On Fri, 26 Sep 2014 22:10:57 -0500, Wildman <best_lay@yahoo.com>
    wrote:

    Different default. This is the default for that particular user-- the
    shell that is opened up on a terminal when the user logs in. The
    default I was talking about is the default that the system uses in
    general- it is usually called sh, but most systems have /bin/sh
    pointing to some other shell which also has the same commands as the
    classic sh shell (such as bash). Writers expect sh to comply with
    certain standards so for example /bin/tcsh would not be a good thing
    for /bin/sh to point to because thestructure of tcsh is very
    different from the old sh.

    On a Linux/Unix system that is true. I don't think routers
    support multiple users or do they?

    My cheap D-Link does:

    default_backdoor = root
    admin = "root"
    support = if it's an adsl modem router gives ISP access
    user = dunno what he's for. He can view settings, but not
    change them. But he CAN remotely update the firmware, which means he
    can do anything, including botnet the router.
    To be "safe", give the last 3 strong passwords.

    PS default_backdoor is hidden to admin, and password is
    "safely" "secured" for your "safety".
    ;)
    []'s

    --
    Don't be evil - Google 2004
    We have a new policy - Google 2012

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: NewsGuy - Unlimited Usenet $23.95 (110:110/2002@linuxnet)
  • From Caver1@110:110/2002 to All on Sat Sep 27 22:52:00 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash
    Shellshock vulnerability?

    On 09/26/2014 03:00 PM, Java Jive wrote:
    "The critical Shellshock flaw affects many Linux and Apple systems —
    here’s what you need to know"

    But actually tells you nothing really useful at all, just gives as
    many scary quotes from as many security experts as he could find when
    writing up his useless FUD.

    If he was really concerned, he would have found out enough about how
    best to fix it temporarily until security updates come along.

    On Fri, 26 Sep 2014 12:40:03 -0400, Caver1 <Caver1@inthemud.org>
    wrote:

    Here's a link,

    https://gigaom.com/2014/09/25/the-critical-shellshock-flaw-affects-many-linux-a nd-apple-systems-heres-what-you-need-to-know/


    I agree just pointed this out to show that routers could be affected.

    --
    Caver1

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From Michael Black@1:0/0 to All on Mon Sep 29 00:37:54 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash
    Shellshock vulnerability?

    On Fri, 26 Sep 2014, Shadow wrote:

    On Sat, 27 Sep 2014 01:41:58 +0000 (UTC), William Unruh
    <unruh@invalid.ca> wrote:

    That will change your own particular shell that is brought up when you
    log in. Actually the latter will probably give you bash anyway, since
    /bin/sh is often a link to /bin/bash.

    Do you know any cheapo home routers (D-Link, Netgear, etc)
    that actually use bash, and not BusyBox, or some other compact
    "do-all" binary ?
    I know the expensive ones might use it, and the shell on my
    homemade CD-Booted router/firewall running on an old AMD K6 was bash,
    but bash is a bit of an overkill for a cheap home router.
    []'s

    Then there are the TV sets (both of mine run Linux, but have no means of connecting to the Internet), and both my blu-ray players run Linux (and
    they do have ethernet ports).

    Michael


    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: National Capital Freenet, Ottawa, Ontario, C
  • From alexd@110:110/2002 to All on Fri Oct 3 19:53:28 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash Shellshock vulnerability?

    Caver1 (for it is he) wrote:

    Ubuntu with bash scripts is used for many embedded appliances and they
    are vulnerable.

    How many embedded appliances are running Ubuntu, again?

    --
    <http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm@ale.cx)
    20:52:18 up 33 days, 11:08, 7 users, load average: 0.83, 0.66, 0.56
    Any sufficiently advanced incompetence is indistinguishable
    from malice

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From Thad Floryan@110:110/2002 to All on Fri Oct 3 20:33:31 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash
    Shellshock vulnerability?

    On 10/3/2014 12:53 PM, alexd wrote:
    Caver1 (for it is he) wrote:

    Ubuntu with bash scripts is used for many embedded appliances and they
    are vulnerable.

    How many embedded appliances are running Ubuntu, again?

    Depends on what one will accept as an "embedded" system;
    the SheevaPlug definitely qualifies as embedded.

    My Sheevaplug servers are fist-sized and the GuruPlug runs
    Debian. Quick example (noting the short uptime is due to
    having had to replace a UPS battery recently) noting that
    root is the only login on such servers:

    root@lanserv1:~# date
    Fri Oct 3 13:14:40 PDT 2014
    root@lanserv1:~# uptime
    13:14:42 up 55 days, 22:37, 1 user, load average: 0.19, 0.15, 0.12 root@lanserv1:~# cat /etc/issue
    Ubuntu 9.04 \n \l

    root@lanserv1:~# ping thadlabs.com # 12 miles away in Milpitas CA
    PING thadlabs.com (192.220.75.50) 56(84) bytes of data.
    64 bytes from thadlabs.com (192.220.75.50): icmp_seq=1 ttl=53 time=15.7 ms
    64 bytes from thadlabs.com (192.220.75.50): icmp_seq=2 ttl=53 time=14.3 ms
    64 bytes from thadlabs.com (192.220.75.50): icmp_seq=3 ttl=53 time=15.6 ms
    64 bytes from thadlabs.com (192.220.75.50): icmp_seq=4 ttl=53 time=16.3 ms

    - --- thadlabs.com ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3000ms
    rtt min/avg/max/mdev = 14.331/15.527/16.375/0.749 ms
    root@lanserv1:~# bash --version
    GNU bash, version 3.2.48(1)-release (arm-unknown-linux-gnueabi)
    Copyright (C) 2007 Free Software Foundation, Inc.
    root@lanserv1:~# uname -a
    Linux lanserv1 2.6.22.18 #1 Thu Mar 19 14:46:22 IST 2009 armv5tejl GNU/Linux root@lanserv1:~#

    Note the sizes of the SheevaPlugs and GuruPlug which have been running
    here since 2009:

    http://thadlabs.com/PIX/SheevaPlug_first.jpg
    http://thadlabs.com/PIX/SheevaPlug_underside.jpg
    http://thadlabs.com/PIX/SheevaPlug_labelled.jpg
    http://thadlabs.com/PIX/SheevaPlug_Webmin.jpg
    http://thadlabs.com/PIX/SheevaPlug_GuruPlug.jpg
    http://thadlabs.com/PIX/SheevaPlug_CPU_card_top.jpg
    http://thadlabs.com/PIX/SheevaPlug_CPU_card_bottom.jpg

    These consume only 4 to 5 Watts power per a Kill-A-Watt device
    and they have GiGE ports to serve my LAN (DHCP, DNS, and more)
    which is all gigabit:

    http://thadlabs.com/PIX/ThadLABS_network_demarc.jpg
    http://thadlabs.com/FILES/ThadLABS_network_demarc.txt

    Thad

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: ThadLABS (110:110/2002@linuxnet)
  • From John Hasler@110:110/2002 to All on Fri Oct 3 20:51:25 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash Shellshock vulnerability?

    Thad Floryan writes:
    Depends on what one will accept as an "embedded" system; the
    SheevaPlug definitely qualifies as embedded.

    No it doesn't. It qualifies as a headless server. An embedded system
    is embedded in another machine such as a car or a radio.
    --
    John Hasler
    jhasler@newsguy.com
    Dancing Horse Hill
    Elmwood, WI USA

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: Dancing Horse Hill (110:110/2002@linuxnet)
  • From Thad Floryan@110:110/2002 to All on Sat Oct 4 04:01:31 2014
    Subject: Re: Are our WiFI routers and rooftop radios affected by the Bash
    Shellshock vulnerability?

    On 10/3/2014 1:51 PM, John Hasler wrote:
    Thad Floryan writes:
    Depends on what one will accept as an "embedded" system; the
    SheevaPlug definitely qualifies as embedded.

    No it doesn't. It qualifies as a headless server. An embedded system
    is embedded in another machine such as a car or a radio.

    OK, I'll accept that, and this confirms it:

    http://en.wikipedia.org/wiki/Embedded_system

    Thanks! Learn something new every day. :-)

    Thad

    --- MBSE BBS v1.0.4 (GNU/Linux-i386)
    * Origin: ThadLABS (110:110/2002@linuxnet)