Shellshock BASH bug and RT-N66U

[Jelf]

The RT-N66U is driven by linux.
The BASH shell is often used with linux installations.
The BASH shell can be hacked via the shellshock bug that hit the news yesterday.

So.......where does that leave the Merlin world?

Can our home routers be hacked?

Is there anything we can do?

Is there anything that Merlin can do?

Is it time to go live in a cave?

 

[microchip]

The RT-N66U is driven by linux.
The BASH shell is often used with linux installations.
The BASH shell can be hacked via the shellshock bug that hit the news yesterday.

So.......where does that leave the Merlin world?

Can our home routers be hacked?

Is there anything we can do?

Is there anything that Merlin can do?

Is it time to go live in a cave?

Bash is not used on ASUS routers, only good old sh shell. If you do "which bash" (no quotes) you'll see it returns nothing while "which sh" returns /bin/sh

 

[Jelf]

Just found this:

http://www.tomsguide.com/us/shellshock-osx-linux,news-19614.html

which says:

"Graham thinks the flaw may also affect Bash's ancestor, the Bourne shell, or sh, which dates to 1977."

 

[microchip]

Just found this:

http://www.tomsguide.com/us/shellshock-osx-linux,news-19614.html

which says:

"Graham thinks the flaw may also affect Bash's ancestor, the Bourne shell, or sh, which dates to 1977."

He thinks. He didn't imply it also affects sh. Until then, we don't know yet

 

[RMerlin]

The Asuswrt shell is called "ash", and is provided by Busybox.

The sh symlink is merely for convenience/compatibility, and probably carries no direct code relation to neither bash nor sh.

 

[microchip]

The Asuswrt shell is called "ash", and is provided by Busybox.

The sh symlink is merely for convenience/compatibility, and probably carries no direct code relation to neither bash nor sh.

I was wrong then. I didn't follow links and just did which sh which gave me the impression sh is used

 

[john9527]

I ran the test command and it passed as not vulnerable (if you run this command and it prints vulnerable, you are exposed).

env x='() { :;}; echo vulnerable' sh -c "echo this is a test"

 

[netware5]

"ShellShock" bash bug?

Does the Merlin FW vulnerable?

 

[L&LD]

Based on Asus firmware and considering that this is very new... I would say yes, it is.

 

[L&LD]

The Asuswrt shell is called "ash", and is provided by Busybox.

The sh symlink is merely for convenience/compatibility, and probably carries no direct code relation to neither bash nor sh.

One more reason why I continue to think so highly of Asus routers.

 

[F5ing]

Bash Vulnerability Discovered

A vulnerability in bash has recently been discovered (also affects embedded systems):

https://securityblog.redhat.com/201...-environment-variables-code-injection-attack/

https://bugzilla.redhat.com/show_bug.cgi?id=1141597

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

https://isc.sans.edu/forums/diary/Update+on+CVE-2014-6271+Vulnerability+in+bash+shellshock+/18707

 

[RMerlin]

One more reason why I continue to think so highly of Asus routers.

Actually, the vast majority of routers also use Busybox, because it's very lightweight.

 

[thiggins]

Threads merged

I've merged all the threads into this one. Please continue the discussion here.

 

[GregE]

N66U with standard firmware apparently not affected

A vulnerability in bash has recently been discovered (also affects embedded systems):

https://securityblog.redhat.com/201...-environment-variables-code-injection-attack/

https://bugzilla.redhat.com/show_bug.cgi?id=1141597

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

https://isc.sans.edu/forums/diary/Update+on+CVE-2014-6271+Vulnerability+in+bash+shellshock+/18707

Good discussion here: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html?m=1

Clip from the article:
"discovering if you’re at risk is trivial as it’s such an easily reproducible risk. There’s a very simple test The Register suggests which is just running this command within your shell:

env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"

You get “busted” echo’d back out and you’ve successfully exploited the bug."

Article referenced: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/

I enabled telnet on my N66U, logged in, and issued the command - I got "stuff" echoed back so apparently the N66U is not vulnerable running stock firmware. And, as noted earlier it's not running bash (or sh) anyway.

Someone with Merlin could do the same - but I think it's running the same busybox shell (ash) so there shouldn't be any difference

 

[gotwillk]

so in layman's terms, those of us on the N66U with the latest Merlin fw (376.47) are safe?

 

[RMerlin]

so in layman's terms, those of us on the N66U with the latest Merlin fw (376.47) are safe?

No version of Asuswrt or Asuswrt-merlin is vulnerable. We do not use bash.

Sent from my Nexus 4 using Tapatalk

 

[cosmoxl]

I've installed optware then bash on my ac68

when I substitute /opt/bin/bash into the proper place in the test command two lines are returned,
busted
stuff

or
vulnerable
this is a test

So, I guess I've got a problem?

 

[netmik3]

Safe

ASUSWRT-Merlin RT-AC68U_3.0.0.4 Sat Sep 20 18:50:48 UTC 2014
admin@RT-AC68U:/tmp/home/root# env x='() { :;}; echo Vulnerable' bash -c "echo T
his is a test"
env: can't execute 'bash': No such file or directory
admin@RT-AC68U:/tmp/home/root# env x='() { :;}; echo Vulnerable' sh -c "echo Thi
s is a test"
This is a test

 

[bonzodog]

Just done the same test on my "out-of-the-box" RT-AC56U ....


admin@RT-AC56U:/tmp/home/root# env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
stuff


So it looks as if the standard Asus offering is OK ....

 

[bonzodog]

I've installed optware then bash on my ac68

when I substitute /opt/bin/bash into the proper place in the test command two lines are returned,
busted
stuff

or
vulnerable
this is a test

So, I guess I've got a problem?

Yes you do ....