Menu
What's new
By:
Filters Better Search

Shellshock BASH bug and RT-N66U

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

cosmoxl said:
I've installed optware then bash on my ac68

when I substitute /opt/bin/bash into the proper place in the test command two lines are returned,
busted
stuff

or
vulnerable
this is a test

So, I guess I've got a problem?
Click to expand...

Yes, the Optware (and Entware) versions of bash will need to be updated by the repository owners.
 
cosmoxl said:
I've installed optware then bash on my ac68

when I substitute /opt/bin/bash into the proper place in the test command two lines are returned,
busted
stuff

or
vulnerable
this is a test

So, I guess I've got a problem?
Click to expand...

Run:
Code: 
opkg update && opkg upgrade
 
xiphias said:
I've been patching lots of machines :eek:
Click to expand...

I updated 103 VMs for a customer yesterday. Thank God for Xen + the yum command...
 
just ran ipkg update and ipkg upgrade and indeed there is now an update for bash. excellent. :)

"Upgrading bash on /opt/ from 3.2.49-1 to 3.2.52-1..."
 
cosmoxl said:
just ran ipkg update and ipkg upgrade and indeed there is now an update for bash. excellent. :)

"Upgrading bash on /opt/ from 3.2.49-1 to 3.2.52-1..."
Click to expand...

But does that latest version have the fix?
 
L&LD said:
But does that latest version have the fix?
Click to expand...

you know what I get when I assume....? Yeah, the update just came out, because I checked yesterday, so I assumed it would fix this. But, I just tested and I still get

busted
stuff

great. :-/
 
cosmoxl said:
you know what I get when I assume....? Yeah, the update just came out, because I checked yesterday, so I assumed it would fix this. But, I just tested and I still get

busted
stuff

great. :-/
Click to expand...

Glad I asked the question. :D
 
OpenVPN

what about this post about "Shellshocking OpenVPN servers":

https://news.ycombinator.com/item?id=8385332

it says: "OpenVPN servers are vulnerable to Shellshock under certain configurations. OpenVPN has a number of configuration options that can call custom commands during different stages of the tunnel session. Many of these commands are called with environmental variables set, some of which can be controlled by the client. One option used for username+password authentication is "auth-user-pass-verify". If the called script uses a vulnerable shell, the client simply delivers the exploit and payload by setting the username. This attack vector is pre-auth."

does that mean using OpenVPN server with username+password auth on my RT-N66U is dangerous?
 
Raffael_M said:
what about this post about "Shellshocking OpenVPN servers":

https://news.ycombinator.com/item?id=8385332

it says: "OpenVPN servers are vulnerable to Shellshock under certain configurations. OpenVPN has a number of configuration options that can call custom commands during different stages of the tunnel session. Many of these commands are called with environmental variables set, some of which can be controlled by the client. One option used for username+password authentication is "auth-user-pass-verify". If the called script uses a vulnerable shell, the client simply delivers the exploit and payload by setting the username. This attack vector is pre-auth."

does that mean using OpenVPN server with username+password auth on my RT-N66U is dangerous?
Click to expand...

Re-read your own quote:

...If the called script uses a vulnerable shell...
Click to expand...


So once again, with more feeling...

There is NO BASH in the firmware, therefore there is NO VULNERABILITY.
 
Still no updates for entware/optware bash. Any clue why it's taking so long? I would have thought this to take only a few days.
 
noric said:
Still no updates for entware/optware bash. Any clue why it's taking so long? I would have thought this to take only a few days.
Click to expand...

Entware was fixed over two weeks ago when they upgraded to 4.3.30:

https://github.com/Entware/entware/commit/80ccf7f386b861cfba95389a4bf519f9588f0115

As for Optware, you will have to ask the maintainers of these repo directly. They are not associated with Asuswrt in any way, and they most likely aren't on these forums either. I'm not even sure if either Optware repo is still being maintained.
 
Thanks Merlin, I'm going to update then.
Actually I'm only using entware. As you said, optware looks more and more abandoned.
 
You must log in or register to reply here.

Similar threads

sesardelaisla
Solved bash executable script problems when executed through a cron job
2
Replies
20
Views
827
ColinTaylor
C
A
PS5 port forwarding and VPN rules
Replies
4
Views
1K
ColinTaylor
C
commodoro
DDNS Custom check External IP and refresh if necessary
Replies
0
Views
100
commodoro
commodoro
E
Bug found in Brazil --> Parental Control x Amazon Prime|Disney+
Replies
1
Views
230
esas
E
JGrana
Solved Odd Request - Anyone know MS Powershell and how to convert to curl?
Replies
8
Views
959
JGrana
JGrana
Similar threads
Thread starter Title Forum Replies Date
sesardelaisla Solved bash executable script problems when executed through a cron job Asuswrt-Merlin 20
E Bug found in Brazil --> Parental Control x Amazon Prime|Disney+ Asuswrt-Merlin 1
S AXE11000 - WPS bug? Asuswrt-Merlin 4
L aicloud bug Asuswrt-Merlin 2
z2vip AiCloud WebUI bug under 3004.388.6 Asuswrt-Merlin 3
Acru Bug Report: nvram chilli_enable=1 when guest network is removed causes no routing to occur Asuswrt-Merlin 2
Z latest firmware for RT AX-86U - bug Asuswrt-Merlin 13
T A possible bug with QOS traffic classification? Asuswrt-Merlin 14
L ASUS DDNS bug? Asuswrt-Merlin 2
F Bug? "Trigger Port List" cannot be entered in HTTPS mode for 386.12 (RT-AC5300) Asuswrt-Merlin 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,077 (members: 38, guests: 1,039)
Top