Shellshock - Bash Vulnerability

[Juggler]

As I use Ubuntu 12.04 and 14.04 base, this vulnerability is of particular interest :

https://www.cert.gov.uk/resources/alert ... hellshock/

I've just upgraded a 14.04 Ubuntu base to the latest and tried the vulnerability test :

Code: Select all

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

and got the not vulnerable response :

joggler@joggler:~$ env x='() { :;}; echo vuln' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
joggler@joggler:~$

Of the distros used on the Joggler, I am not certain which need to be patched. Perhaps, more knowledgeable people here can comment. However, as a start, I think that the following will be vulnerable :

Ubuntu bases
Ubuntu
Xubuntu

I wonder of the OpenPeak OS (OS the Joggler comes with) is vulnerable ? Maybe with it being old, the vulnerability does not exist, in it.

Need to understand a bit more about it first, I think. I beleive it came about as a fault in an earlier patch, so in that case, it may only affect systems that have been updated recently. But I may be wrong. More concerned here that my Joggler's don't get pwned by some worm, that is being created right now... (Not me, I wish to add)

[Juggler]

Seems that all versions of Bash up to and including 4.3 are vulnerable :

https://security.stackexchange.com/ques ... ellshock-b

Although there may be some future subversions of 4.3 that actually fix the issue.

I have been checking this morning if the direct internet facing devices I have may be vulnerable - router/modem, and I think it is not, as it uses BusyBox which does not use bash or a full implementation of it anyway - but I may be wrong :

http://www.dslreports.com/forum/r295598 ... hellshock-

This article talks about some unusual devices (IoT) that may be at risk :

http://www.troyhunt.com/2014/09/everyth ... about.html

For information on 'buntu, see this :

http://askubuntu.com/questions/528101/w ... o-i-fix-it

Does the standard Joggler OS (OpenPeak OS) use bash ? What about PNP and SqPOS ? I'd like to check these but I don't have a spare Joggler PSU at hand at the moment, and I'm wondering if I actually boot a Joggler in to whatever is on the internal flash that I may get my self even more work to do. But what the heck, when I can find a spare PSU will have a go. If the Joggler OpenPeak OS is vulnerable, what could be done ?

[JimbobVFR400]

SqPOS 1.09 so quite an old version on Ubuntu 10.04 reports as vulnerable in the test.

SqPOS 2 something or other, not sure of the exact version as it doesn't report the version at logon like 1.09 also reportsbas vulnerable too. Not tried the latest version 3 yet.

Practically what does this mean for me?

The stack exchange link above seems to suggest your command tests if bash is vulnerable which it is, however replace bash with sh and it doesn't show as vulnerable but some scripts might use bash hence be vulnerable. To say I'm confused would be entirely accurate.

[pete]

Yeah here have left the older running Linux Jogglers alone; just using them but not really paying attention.

I am converting many Wintel Jogglers over to Ubuntu 14.04 (BuZz's latest and greatest).

I am now playing with Wine and have been able to get my Sapi 4/5 to work fine with Ubuntu/Wine.

That said yesterday started a new build from scratch. Using a 25Mb USB boot EFI stick to boot a 16Gb SSD drive. I did notice some 300 plus updates came up right after installation. I think I am covered.

I do still have some very old embedded Linux devices mostly ones that I never really could get to easily and typically would just upgrade the firmware on. The issue with some of these devices is that the companies are not making them; therefore there is no support nor upgrade coming.

[Juggler]

I think that, at the moment, the risk of the vulnerability being exploited on your own devices is more likely from a user initiated action, for example visiting a website (even well known and trusted websites can be modified, and you would not know about it) or opening an attachment in an email.

There is a great deal of uncertainty at the moment as it is impossible to predict exactly how the vulnerability will be exploited and what it means to most people. Most at risk right now and what will probably be targeted first are the servers that you depend on - i.e. the server this forum is running on, your bank's servers and so on.

I think one of the biggest concerns are that a worm

https://en.wikipedia.org/wiki/Computer_worm

could be created, and then it would not be necessary for the user to cause infection, just the device being present on some network.

Who know what the payload would be - i.e. what the exploit would do - and that could change over time as well.

This is why I think it is best to patch now, if you can, especially if it is something you depend on and/or have your personal data passing through.

[Juggler]

I think these should explain far better than I can :

https://en.wikipedia.org/wiki/Shellshoc ... are_bug%29

I think this should be essential reading, and will no doubt be updated very frequently. Of particular note is the section :

https://en.wikipedia.org/wiki/Shellshoc ... on_vectors

so, there are many more exploit vectors than I originally understood.

Worms and one of the most (in)famous (Morris) :

https://en.wikipedia.org/wiki/Timeline_ ... _and_worms
https://en.wikipedia.org/wiki/Morris_worm

[pete]

Sad in a way. I mean one analogy was being taught to always drive defensively; no matter what.

In a way these days its the same with using the internet and computers.

Many folks introductions to the internet are just telephones and tablets. They mostly have full trust and faith in the OS providing their access and don't really worry about things they do not see.

Over the years always used VPN tunnels; it was a nice option to have.

These days literally have shut the doors using PFSense and have gone to having to use VPN tunneling.

Switched over browsers to only using Firefox and added the adblock and ghostly plugins. Note that I do not work for Firefox or anything like that.

I am so amazed at what I see that I never really paid attention too.

Image that cell phone users or tablet user connecting to the internet and not seeing all of that little stuff going on; hidden in the recesses of a nice and easy plug in play interface. Well they do see that these days in most malicious ways.

Many folks are putting the issues in one bucket right now; well Linux.

That said mostly of the after Linux/Unix OS's are all built on original Unix / Linux cores such that that base iOS, Wintel or Andoid OS probably could have these issues buried way down deep in developed from Linux/Unix kernal calls which are going to be a real PITA to fix. Well its easier to say its a Linux/Unix issue rather than an Android, iOS or Wintel issue; finger pointing works better for the masses sometimes. (I am not writing that this is good or bad; just there).

What a pita it is to have to be so vigilant with something you pay for.

[roobarb!]

For the Joggler, it's really where it's running a web service triggering bash cgi scripts that you've got an issue. But having said that, your Joggler is likely behind a router. If you're not deliberately exposing your Joggler to the web, you've got very little to worry about.

If you are exposing your Joggler's ports to the 'net, then just apt-get update and upgrade - problem solved. If you're exposing the default OS to the web... Why? Don't!

[pete]

I checked the Jogglers running with Ubuntu 14.04 builds yesterday doing an update and they all got bash updates.

Found this googling:

http://www.ubuntu.com/usn/usn-2362-1/

That and see that its already being exploited in internetlandia.......geez Louise...

My MythTV box (6 tuners) is still at Ubuntu 12.10. Never touch it as it works well. I do though check every once in a while using Webmin. Sits headless these days.

[Juggler]

I haven't checked my self and I'd prefer to comment from actual experience, but from the comments so far, I get the impression that the Joggler with the O2/Default/OpenPeak OS is vulnerable.

Maybe for the typical Joggler user (i.e. someone who bought the Joggler to use as it was intended - are there any of those now after O2 dropping support?), the Joggler could well be the only Linux based device in their house that is vulnerable.

Agreed that modem/routers or routers will provide a degree of protection by using NAT (Network Address Translation). But have you seen the exploit vectors that are possible ?

I think there will be many Bash updates in the coming days, as from what I understand, what has been discovered so far is just scratching the surface. And this is great for those that are able to update. However, this is not possible for those using the O2/Default/OpenPeak OS and PNP3, is it ?

But what can be done to protect/patch a Joggler using the O2/Default/OpenPeak OS from this risk ? Does anyone still use a Joggler as it was intended ? Is a Joggler still usable in its original form ?

What about PNP3 ? Does that use Bash ?

I'm just concerned that I can see the situation where Jogglers could be compromised and could continue to do so for months maybe years before being detected, disconnected or disposed of.

[roobarb!]

I haven't checked my self and I'd prefer to comment from actual experience, but from the comments so far, I get the impression that the Joggler with the O2/Default/OpenPeak OS is vulnerable.

I'm not sure that it is vulnerable... I'm not even sure it has a Bash shell at all.

It's been a very long time since I looked at the original OS, but I'm pretty sure it was a simple ash shell, not Bash. You could issue /bin/bash, but it would only ever be ash that it was symlinked to via BusyBox (which can be built with or without Bash).

The ash shell is not vulnerable to this exploit. If I'm right, everyone can sleep easy.

DISCLAIMER: If PNP adds a Bash binary, then you can't sleep easy! But I don't know if it does.

[pete]

Thank you roobarb!

[Juggler]

That's good to hear roobarb!

It makes sense that busybox would have been used and I found this on a Google search too :

http://www.jogglerwiki.com/wiki/Updated ... g_httpd%29

which indicates what is included in the BusyBox of the default Joggler OS.

Thanks to buying betting shop jogglers, I have a lack of power supplies. I'm looking for something that can give out enough current at 5V, and I'll have a look at a betting shop joggler, with whatever is on there. I think it should be PNP, but I don't know till I boot it.

Would a Joggler with the default OS actually be usable now ? I guess a lot of the apps that people would have found useful on the Joggler have now stopped working, so if a Joggler is being used as intended it is probably just as a clock or something like that.

I guess if I got hold of an image of the default Joggler OS, I could mount that and have a look inside the file system to see what is in there.

I wonder if there are tools now that can remotely test a device to see if it is vulnerable ?

[Juggler]

Answering my last question - tools to test for this vulnerability. I found these :

http://shellshock.brandonpotter.com/
http://www.shellshocktest.com/
https://twitter.com/lukashed
http://bashsmash.ccsir.org/

and have done some quick tests. I don't know how comprehensive, effective or trustworthy they are, but they are mentioned quite a bit in google.

I tried some of them against my public IP address, and it reported not vulnerable, which is what I believed to be the case for the router I have - it uses BusyBox and does not have bash.

[Juggler]

This website looks like the best I have seen so far :

https://shellshocker.net/

There now appears to be 6 unique vulnerabilities and exploits for each. This number will likely grow as, from what I understand, Bash has some fundamental issues.

There is a script that can be downloaded and each of the exploit tests run, so you can easily discover if your system is vulnerable.

And it provides details on how to patch.