On Thursday 25 Sep 2014 16:58:31 Ralph Corderoy wrote:
> > There must be millions of similar devices out there, eg TVs, routers,
> > network storage, fridges even. Whose going to sort them out?
>
> The machine has to be running bash; lots of smaller devices run a
> lighter shell, e.g. dash, or Busybox. And to be vulnerable, there has
> to be a means of passing environment variables to bash, e.g. a CGI
> script implemented in bash where the HTTP request can contain values
> that the web server passes in the environment. Another alternative is
> an SSH server that lets you log in, but forces you to run a particular
> command, e.g. rsync for backups. The original command you requested is
> passed on by the SSH server to bash, your login shell, in the
> environment.
>
> I've seen no indication that just because a machine runs bash then it's
> vulnerable. http://www.bbc.co.uk/news/technology-29361794 in particular
> is full of exaggeration by unnamed "security experts".
> http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ is better.
I must admit; I was reading the BBC!
Having said that; the Stora is a fairly accessible device, which allows remote
logins to play media from almost any device connected to the internet, so I
guess it might be running bash.
I'm on leave tomorrow, so I'll try to find out. There used to be an OpenStora
website which helped people to gain do lots of stuff that the Axentra web
interface didn't, but I see that the domain has expired so maybe I'll have to
wing it a bit. I still have the instructions for getting in using SSH, so at
least I can see if bash is installed.
--
Terry Coles
--
Next meeting: Bournemouth, Tuesday, 2014-10-07 20:00
Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/
New thread on mailing list: mailto:dorset@mailman.lug.org.uk
How to Report Bugs Effectively: http://goo.gl/4Xue
