Community discussions

 
avantwireless
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Mon Nov 07, 2005 3:04 am

Bash Exploit

Thu Sep 25, 2014 7:40 am

So a major security problem is out there with Bash variables... Cloud services are patching and rebooting EVERYTHING tonight. *ix is vulnerable.. IS MT? does the web interface execute bash?

http://gadgets.ndtv.com/laptops/news/ba ... rts-597572

Can I get some karma?
Last edited by avantwireless on Sat Sep 27, 2014 1:29 pm, edited 2 times in total.
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: Bash Exploit

Thu Sep 25, 2014 8:21 am

+1 to the question.

It would seem RoS is not vuln, but would like *official* word from 'Tik.
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
User avatar
dibatech
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Tue Apr 04, 2006 10:14 am

Re: Bash Exploit

Thu Sep 25, 2014 11:14 am

Very interested here as well.
Lots of patching going on...
 
krisjanis
MikroTik Support
MikroTik Support
Posts: 391
Joined: Tue Feb 05, 2013 5:00 pm

Re: Bash Exploit

Thu Sep 25, 2014 1:01 pm

As RouterOS does NOT use bash, no patching is required from our side.
 
amtisrac
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Mon Jun 13, 2005 10:53 am
Location: Hungary

Re: Bash Exploit

Fri Sep 26, 2014 1:05 pm

As RouterOS does NOT use bash, no patching is required from our side.
This is also true for older versions? 2.9.x, etc.
MTCNA, MTCWE, MTCUME, MTCRE, MTCTCE, MTCINE
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: Bash Exploit

Fri Sep 26, 2014 6:45 pm

@krisjanis
So, you're saying that BASH doesn't exit in any form, visible or not, accessible to the user or not on RouterOS?

What do you use for a shell for underlying work and control? [ROS is obviously a *nix variant, and underneath it almost certainly has some kind of shell - so it's a little hard to take such a blanket dismissal.]
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
maxnett
just joined
Posts: 1
Joined: Tue Dec 07, 2010 12:06 am

Re: Bash Exploit

Sat Sep 27, 2014 12:58 pm

+1 for gsloop's remarks.

We could do with some more detail - does bash exist at all on any version?
 
andriys
Forum Guru
Forum Guru
Posts: 1051
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Bash Exploit

Sat Sep 27, 2014 4:00 pm

What do you use for a shell for underlying work and control? [ROS is obviously a *nix variant, and underneath it almost certainly has some kind of shell - so it's a little hard to take such a blanket dismissal.]
Embedded systems (and ROS is an embedded system) usually use BusyBox, which does contain Bourne shell compatible shell implementation, which, as far as I know, has no relation to bash. Another popular alternative to bash is zsh. BSD systems have their own implementation of Bourne shell compatible shells. Also there are lots of different popular types of shell exists on Unix-like systems (ksh, csh, tcsh just to name a few). So while bash is the most widely used shell nowadays due to being the default shell on a vast majority of Linux distros, it is far from being the best nor the only available option.
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: Bash Exploit

Thu Oct 02, 2014 1:46 am

@ andriys

Sure it could be CShell or anything else. But a "*it could be*" isn't an answer.

I need a definitive answer. Is BASH on ROS in any form, even if it's not accessible or visible to the user?
There have been lots of answers from lots of people saying... "Oh, our product X, it isn't vulnerable because blah, blah, blah."
But then come to find out, it IS vulnerable - with a little poking and prodding and a tweak here and there.

So, if ROS has BASH anywhere on it, we should be notified and IMO, I'll be pretty skeptical about claims ROS is immune, at least until it's patched adequately.

As long as I'm at it, Mikrotik seriously needs a security announce mailing list. One shouldn't have to troll the forum to find out about security announcements/patches etc.

-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
xcom
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Bash Exploit

Thu Oct 02, 2014 7:22 am

ash shell.
 
andriys
Forum Guru
Forum Guru
Posts: 1051
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Bash Exploit

Thu Oct 02, 2014 1:40 pm

@ andriys

Sure it could be CShell or anything else. But a "*it could be*" isn't an answer.
Any Mikrotik package contains custom SquashFS image, prefixed with a header of 4K bytes. I was not able to mount or extract any of these images using standard squashfs tools, but it's still possible to extract and examine the contents of Mikrotik images using a recent version of 7-Zip.

RouterOS does contain shell- the ash shell from BusyBox package. It also contains /bin/bash, but it is just a symlink to ash, not a real bash binary.
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: Bash Exploit

Thu Oct 02, 2014 6:12 pm

@andriys

Thanks, I think.

Lets assume you're right. That's all nice, I suppose.

However, should it be this hard to get a definitive answer from Mikrotik? I could probably disassemble the machine code and make sure BASH isn't in there too, but can anyone imagine having to do that with any responsible vendor, simply to get an answer about one of the biggest vulnerabilities in *nix in years?

It doesn't seem too much to ask, to expect a vendor to do more than just give the barest minimum of information; to refuse to follow-up on the discussion and fill in the gaps; but instead, say nothing, and rely on an informal community response for a definitive response!?!? [To a potential vulnerability that got a CVE risk score of 10, no less!.]

Giving, essentially, a terse "NO!" answer to questions about the shellshock/BASH vulnerability seems both rude and irresponsible to me. Compare this ['Tik's discussion or lack thereof] to the discussion about it at UBNT, and the very robust discussion about it there even though they're quite sure they are not vulnerable.

Given a choice between the two ways of dealing with customers, I can certainly tell you which product I'm likely to recommend and use, and it's not the terse/hostile vendor.

-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
andriys
Forum Guru
Forum Guru
Posts: 1051
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Bash Exploit

Thu Oct 02, 2014 6:37 pm

However, should it be this hard to get a definitive answer from Mikrotik?
There was a definitive answer from Mikrotik - see the 4th message in this thread above. krisjanis clearly said that "RouterOS does NOT use bash". You were wondering what kind of Unix shell is in use in RouterOS, and I kindly did a little research for you. I really do not understand what this noise is all about.
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: Bash Exploit

Thu Oct 02, 2014 9:34 pm

There were questions about different versions, about whether BASH was simply not user-accessible, but still in the underlying system etc.

Perhaps you're perfectly fine with inadequate information, simply trusting that the blanket statement given covers all possibilities, but I'm not. You're welcome to paint those of us who want more detail, as loonies who are swooning about it needlessly, but when a *security* device is involved, and the risk is so comprehensive and total, then some additional details seem more than reasonable to expect.

-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
avantwireless
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Mon Nov 07, 2005 3:04 am

Re: Bash Exploit

Thu Oct 02, 2014 9:45 pm

Hmmm, I'm curious as to what information you are digging for beyond "No bash". Seems like a problem that isn't a problem if bash isn't there. I think you are diminishing your karma by flogging a dead horse, publicly. Maybe you wanted a statement from the CEO? A guarantee? Not going to get it for the price point that they sell RouterOS for. If you are that worried about security, you shouldn't be putting a piece of software from a foreign country in your network and you should compile all OS's from the available source after doing a through diff to the source trees. :D
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: Bash Exploit

Thu Oct 02, 2014 10:08 pm

@avantwireless
If you are that worried about security, you shouldn't be putting a piece of software from a foreign country in your network
You know, you're right. That's why I'm moving my installed base over to Ubiquiti's Edge Router. [How about that?]

And, for the same or better price-point, I do get answers to questions like this from them. So, your bombast that "it couldn't possibly be affordable to give detailed answers..." seems a bit off target. I posted the same question on their forum and the difference in response is pretty stark. [To be honest, one would hope that devices from foreign countries shouldn't worry one that much - one would hope that the integrity of the company would be enough...]

And Karma? That's fine - it's meant to burn. If asking for substantial clarification burns karma, so be it. You're not going to shame me into conformance.

But unfortunately, I still have some Mikrotik devices out there, and on several different versions - so the level of detail we've gotten here is, IMO, still inadequate.

It's funny how when one asks for better, the usual response here is: [given in a huffy manner] "If you don't like the abuse we give, then too effen bad. Don't let the door hit you in the backside on your way out!" Sheesh.

HAND
-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
avantwireless
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Mon Nov 07, 2005 3:04 am

Re: Bash Exploit

Thu Oct 02, 2014 10:53 pm

Please note that UBNT s/w is developed in the same country as MT
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: Bash Exploit

Fri Oct 03, 2014 7:48 pm

As I said, one would hope the integrity of the company would suffice.

All that said - Debian and Vyatta don't appear to be developed primarily in Latvia. [Never mind that UBNT [as I understand it] forked Vyatta and while the base is Vyatta, there are modifications of their own.]

Got some sources?
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
avantwireless
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Mon Nov 07, 2005 3:04 am

Re: Bash Exploit

Fri Oct 03, 2014 8:12 pm

Sources of code or sources of development location? For development location look at the ubiquiti forums and who responds to development questions


https://www.linkedin.com/in/edmundasbajorinas Lithiania
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: Bash Exploit

Fri Oct 03, 2014 8:35 pm

I'm not going to get into an argument about this - but having a single developer, vs the entire company seem, to me at least, to not be at all equivalent. Not even remotely.

I guess each person will have to make their own call. I just know my calculus is vastly different than what you're implying.
[Frankly, given how out of control the US Government is, in terms of spying-overreach, one might even make the case that development on the US mainland vs somewhere with less government interference would be better. (But, IMO, Latvia would be far worse by those criteria.)]

-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
avantwireless
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Mon Nov 07, 2005 3:04 am

Re: Bash Exploit

Fri Oct 03, 2014 8:45 pm

I guess I should have mentioned that I used to work for Ubiquiti... Yes the majority of their software development was done in Lithuania, not one person. I cannot say if that is true today, but I cannot see a reason that they would have migrated it to the US when the team over there was a great bunch. As is the MT crowd. You are the one that doesn't trust MT but has no problem trusting UBNT. But one is a private company and one is a public company. As such the images they project usually are vastly different. But this isn't about the bash exploit anymore but about you. Nobody else is chiming in and I in no way represent either of the above mention companies anymore. IF you find a way to exploit the bash bug on any of your soon to be none MT gear, post it and prove all of the above posts wrong... Otherwise.... have a good day... :)
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: Bash Exploit

Fri Oct 03, 2014 9:53 pm

You've created such a total straw-man argument, it's farcical.

I'd be glad to trust Mikrotik, provided they acted in a trust-worthy manner. As I've said - I'd like something better than the terse explanation that
As RouterOS does NOT use bash, no patching is required from our side.
So, does that mean:
The portions of RouterOS you work with don't have BASH, so everything is good. We know, for example, that you don't need access to bash directly to exploit the vulnerability. So, some clarification here would be really quite nice.

Does this mean that the given statement applies to every version of ROS, or just version 6?

The statement given could easily have many different meanings. [see how creatively the NSA "denies" all sorts of things for a lesson in misdirection] Asking for clarification isn't "not trusting" - but simply asking for more data so I can evaluate it.

Further, the "mistrust" you give comes from your post, not mine. [Yet, I'm the one who is unwilling to trust MT?]

I'll simply restate what I've asked for from the beginning, and what I DO get from UBNT [Without a lot of teeth pulling either.]; A comprehensive answer from someone who is authorized to represent the company.

Does BASH exist in any form in any version of ROS? If yes, then please detail what versions and how it's involved so users can determine their exposure. [As this thread has gone on now, without any additional details from MT, for nearly two weeks now, I'm not holding my breath.]
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1196
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: Bash Exploit

Sat Oct 04, 2014 12:39 pm

Before just flaming around about an clear answer which states NO, I would remind you of something stated on the first page of this forum:
Notice: For support from Mikrotik staff, write to support@mikrotik.com - Mikrotik does not generally offer support on the forum, this is a user forum.

Have you sent a mail to support to ask this?

PS: don't forget to ask if any older version uses apache2 as its web server and mysql to manage route lists, or if there is a hidden open office somewhere inside because there is an editor there...
Why the heck would someone put a 900k shell executable in there, if a 50k one would do the needed job?
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Bash Exploit

Mon Oct 06, 2014 9:37 am

Yes, BASH does not exist in RouterOS in any form, visible or otherwise. RouterOS is in no way affected with this thing.
No answer to your question? How to write posts
 
User avatar
webasdf
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Mon Jan 26, 2009 6:37 pm

Re: Bash Exploit

Wed Oct 15, 2014 10:32 pm

Bash != ash

I have worked with ash and busybox. In fact, I just tested the shellshock vulnerability today per https://shellshocker.net/ which is a site that provides info about this issue. It also provides info about how to test for the vulnerability. Ash didn't test positive for any vulnerability associated with shellshock. This is purely a bash bug and bash is not ash!

Who is online

Users browsing this forum: No registered users and 33 guests