DSM-G600, DNS-3xx and NSA-220 Hack Forum

Unfortunately no one can be told what fun_plug is - you have to see it for yourself.

You are not logged in.

#1 2014-09-25 21:45:04

sk3l
New member
Registered: 2014-09-25
Posts: 3

Shellshock?

I am just in the beginning stages of understanding the bash bug, and how it does or does not affect things, in particular, SSH.

I do run sshd on my DNS-323, open to the Net. Authentication is via RSA public key.

Questions:
======

1) From everything I read, it ~seems~ like ordinary ssh usage, without executing any fancy stuff using ForceCommand, ~~should~~ be unaffected by Shellshock. Am I off on my understanding?

2) My sshd is provided by fonz's fun plug. Is there a way to find out if/when a patch might come through for the bash version in ffp (think it's like 4.1.11)? Does fonz or somebody else still support this?

Thanks,
-Mike

Offline

 

#2 2014-09-25 23:04:52

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 709

Re: Shellshock?

1) From everything I read, it ~seems~ like ordinary ssh usage, without executing any fancy stuff using ForceCommand, ~~should~~ be unaffected by Shellshock. Am I off on my understanding?

No. Yes.
For ordinary ssh usage, there is no problem at all. You will get a shell, and can execute any command you like. It doesn't matter if there are other fancy ways to execute the same commands.

If you are using ForceCommand, then you are restricting users in what they can execute. Actually they can execute just a single command, the forced one. In that case it becomes a problem if another command can be injected.

Offline

 

#3 2014-10-02 22:39:45

sioban
Member
Registered: 2010-06-01
Posts: 15

Re: Shellshock?

There's many other way shellshock hurt a nas.
It can use a cgi to directly inject the command or simply inject the command through any http header (like the useragent string).

There's worm running right now targetting NAS.

if your nas admin is open on internet, I would be worried.

I can imagine other ways like BT to inject the command or through any other applications (DNS, DHCP, Mail, FTP, etc.)

There's some proof on how the vulnerability can be exploited there : https://github.com/mubix/shellshocker-pocs

Offline

 

#4 2014-10-02 22:48:28

sk3l
New member
Registered: 2014-09-25
Posts: 3

Re: Shellshock?

Only port I have open to the outside is SSH, on a non-standard port w/ shared key authen, no ForceCommand or authorized_keys commands.

I still haven't heard if ffp would be patched to fix Shellshock, but it seems like for what I'm using this NAS for, it shouldn't really matter.

Offline

 

#5 2014-10-02 23:01:05

sioban
Member
Registered: 2010-06-01
Posts: 15

Re: Shellshock?

That might be a problem only with restricted accounts (git only, sftp, forcecommand, command=)

Offline

 

#6 2014-10-03 23:50:40

sk3l
New member
Registered: 2014-09-25
Posts: 3

Re: Shellshock?

Hey, one another thing I'll chime in on regarding patching bash for the DNS-323. I realized that there is also the opportunity through ffp to install the optware tool kit. It's also not difficult to swap out the default or ffp login shell and insert the bash that can be imported using optware. It seems that the bash bundled with DNS-323's optware has already been patched for Shellshock. So, rather than wait for ffp's bash to be patched, which may never happen, one can switch to the optware version and get the current patch, and hopefully any more that come from upstream.

Offline

 

#7 2014-11-20 12:04:49

jacksjack
New member
Registered: 2014-11-13
Posts: 1

Re: Shellshock?

My sshd is provided by fonz's fun plug. Is there a way to find out if/when a patch might come through for the bash version in ffp (think it's like 4.1.11)? Does fonz or somebody else still support this?
From everything I read, it ~seems~ like ordinary ssh usage, without executing any fancy stuff using ForceCommand, ~~should~~ be unaffected by Shellshock. Am I off on my understanding?

Thanks,



translation services uk

Last edited by jacksjack (2014-11-24 11:44:41)

Offline

 

Board footer

Powered by PunBB
© Copyright 2002–2010 PunBB