Shellshock expolit vulnerability?

My Cloud OS 3 Personal & Network Attached Storage My Cloud
21

WD is really taking too long to roll out the patch, it’s a simple patch.

For those with V4 firmware (note: only V4 that was released with 64K page size memory), and wish to have bash upgraded to v4.3.30, just get the ones I’ve compiled below from my dropbox (I’m not responsible for any damage caused).

From shell (ignore dpkg warnings): Only V4 firmwares, do not install directly on v3 firmware as I don’t have v3 to test! I tried building for v3 seems it still can run on v4 mycloud without being killed. You can however test first on a v3 mycloud by extracting the bash binary from this deb and run from the home dir eg ~/bash --version. Or see the install guide for v3 on the 1st page.

# Download:wget --no-check-certificate dl.dropbox.com/s/o4cefiy1d3wwp3x/bash_4.3-11_armhf.deb;
# Install:
dpkg -i bash_4.3-11_armhf.deb;# Confirm:bash --version;# Test your system:curl https://shellshocker.net/shellshock_test.sh | bash;# Results:#CVE-2014-6271 (original shellshock): not vulnerable#CVE-2014-6277 (segfault): not vulnerable#CVE-2014-6278 (Florian's patch): not vulnerable#CVE-2014-7169 (taviso bug): not vulnerable#CVE-2014-7186 (redir_stack bug): not vulnerable#CVE-2014-7187 (nested loops off by one): not vulnerable#CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
22

@Nazar78

Your .deb should work on v3 firmware as well, right?

23

joskevermeulen wrote:
@Nazar78

Your .deb should work on v3 firmware as well, right?

No, do not apply on v3 firmware! It’s only for v4 firmware which has the 64K page size memory. For v3 firmware, follow the upgrade steps using apt-get from earlier post…

Edited: See my post before this.

24

Oh I thought the problem was only when installing v3 packages on v4, not vica versa.

I don’t suppose any of you would be so kind to compile a v3 package as well?

25

Hi joskevermeulen & Co

I followed your tutorial to upgrade bash on my WD Mybooklive and it didn’t quite end as I would have liked…

  • I backed up my sources.list
  • I editted my source.list
  • I updated the package list…

MyBookLive:~# apt-get update

Get:1 http://ftp.us.debian.org jessie Release.gpg [836B]

Get:2 http://ftp.us.debian.org jessie Release [190kB]

Ign http://ftp.us.debian.org jessie Release

Ign http://ftp.us.debian.org jessie/main Packages

Get:3 http://ftp.us.debian.org jessie/main Packages [8832kB]

Fetched 9024kB in 14s (609kB/s)                                                                                                           

Reading package lists… Done

  • I tried to get the bash package

MyBookLive:~# apt-get install --only-upgrade bash

E: Sense only is not understood, try true or false.

MyBookLive:~# apt-get install --only-upgrade bash

E: Sense only is not understood, try true or false.

MyBookLive:~# apt-get install -only-upgrade bash

E: Option -only-upgrade: Configuration item specification must have an =.

MyBookLive:~# apt-get install -upgrade bash

E: Command line option ‘p’ [from -upgrade] is not known.

  • I then ignored the issue and tried altering the command and accepted default response about dash

MyBookLive:~# apt-get install  bash

Reading package lists… Done

Building dependency tree       

Reading state information… Done

The following extra packages will be installed:

  dash libc6 libc6-ppc64 libtinfo5 locales

Suggested packages:

  bash-doc glibc-doc

Recommended packages:

  bash-completion

The following NEW packages will be installed:

  dash libtinfo5

The following packages will be upgraded:

  bash libc6 libc6-ppc64 locales

4 upgraded, 2 newly installed, 0 to remove and 282 not upgraded.

Need to get 12.4MB of archives.

After this operation, 8184kB of additional disk space will be used.

Do you want to continue [Y/n]? Y

WARNING: The following packages cannot be authenticated!

  dash libc6-ppc64 locales libc6 libtinfo5 bash

Install these packages without verification [y/N]? y

Get:1 http://ftp.us.debian.org jessie/main dash 0.5.7-4 [102kB]

Get:2 http://ftp.us.debian.org jessie/main libc6-ppc64 2.19-11 [2465kB]

Get:3 http://ftp.us.debian.org jessie/main locales 2.19-11 [3957kB]

Get:4 http://ftp.us.debian.org jessie/main libc6 2.19-11 [4535kB]                                                                         

Get:5 http://ftp.us.debian.org jessie/main libtinfo5 5.9+20140913-1 [275kB]                                                               

Get:6 http://ftp.us.debian.org jessie/main bash 4.3-10 [1116kB]                                                                           

Fetched 12.4MB in 14s (859kB/s)                                                                                                           

VULNERABLE

Preconfiguring packages …

Selecting previously deselected package dash.

(Reading database …

dpkg: warning: files list file for package `ramlog’ missing, assuming package has no files currently installed.

dpkg: warning: files list file for package `libparted0’ missing, assuming package has no files currently installed.

(Reading database … 18717 files and directories currently installed.)

Unpacking dash (from …/dash_0.5.7-4_powerpc.deb) …

VULNERABLE

Adding `diversion of /bin/sh to /bin/sh.distrib by dash’

ln: creating symbolic link `/usr/share/man/man1/sh.1.gz.tmp’: No such file or directory

dpkg: error processing /var/cache/apt/archives/dash_0.5.7-4_powerpc.deb (–unpack):

subprocess new pre-installation script returned error exit status 1

dpkg (subprocess): unable to execute new post-removal script (/var/lib/dpkg/tmp.ci/postrm): No such file or directory

dpkg: error while cleaning up:

subprocess new post-removal script returned error exit status 2

Errors were encountered while processing:

/var/cache/apt/archives/dash_0.5.7-4_powerpc.deb

E: Sub-process /usr/bin/dpkg returned an error code (1)

  • My UI screen showed a message about a failed firmware upgrade and then kept the screen kept refreshing so I couldn’t do anything with it.
  • Then I tried rebooting the drive and got the steady white/yellow light

Do I now go to the unbricking page or is there a simpler way?

I know I should have waited for the proper release, and even though I have some Unix experience I know I should have stopped and not gone off script but I couldnt find anything on the web about --only.

Thanks in advance for any help .

Regards

26

So I tried compiling the patched bash package for v3, but ended up with a +3mb file which appeared to be faulty.

However , I checked the jessie repo for a recent bash update and there’s version 4.3-11 now. After installation it appears this version has the shellshock bug completely patched (so far). To verify if you’re protected, you can use the following:

curl https://shellshocker.net/shellshock_test.sh | bash

_ I updated my initial instructions to use the recent bash. _

@LoftyGit:

sorry I have no idea what went wrong and how to fix it. Maybe someone else?

(which firmware are you on?)

27

Just to update anyone who had installed the V4 bash deb I post on page#3. I noticed the fg bg jobs commands are missing, can’t bring back background jobs. I’ve removed the deb from my dropbox and updated the post for bash_4.3-11.

28

Looks like WD just released a patch for this