Pogoplug B01 - Shellshock Bash Bug - fixable?

This forum is for all other ARMv5 devices

Re: Pogoplug B01 - Shellshock Bash Bug - fixable?

Postby dbvqdpwn » Mon Oct 06, 2014 5:34 pm

However, when I upgraded to that bash on my pogo E02, I could no longer authenticate for ssh with either public key (my usual way) nor password. When I downgraded bash back to the prior version, both forms of auth worked again. Note that my E02 was never upgraded to systemd as I keep it more or less in sync with my V3 pogos which no longer get updated unless necessary.

I upgraded to 4.3.30 and encountered a similar issue with not being able to authenticate.

Turns out the upgrade moved the binary from /bin/bash to /usr/bin/bash. I just made a copy and that fixed things.

Code: Select all
[user@pogoplug ~]$ grep user /etc/passwd
user:x:1000:1000::/home/user:/bin/bash

[user@pogoplug ~]$ chsh -s /usr/bin/bash
Changing shell for user.
Password:
chsh: "/usr/bin/bash" is not listed in /etc/shells.

[user@pogoplug ~]$ sudo cp /usr/bin/bash /bin/bash
[sudo] password for user:

[user@pogoplug ~]$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

[user@pogoplug ~]$ echo $BASH_VERSION
4.3.30(1)-release
dbvqdpwn
 
Posts: 1
Joined: Mon Oct 06, 2014 5:26 pm

Re: Pogoplug B01 - Shellshock Bash Bug - fixable?

Postby karog » Mon Oct 06, 2014 6:46 pm

dbvqdpwn wrote:
karog wrote:However, when I upgraded to that bash on my pogo E02, I could no longer authenticate for ssh with either public key (my usual way) nor password. When I downgraded bash back to the prior version, both forms of auth worked again. Note that my E02 was never upgraded to systemd as I keep it more or less in sync with my V3 pogos which no longer get updated unless necessary.

I upgraded to 4.3.30 and encountered a similar issue with not being able to authenticate.

Turns out the upgrade moved the binary from /bin/bash to /usr/bin/bash. I just made a copy and that fixed things.

I just looked at my non-upgraded E02 and /bin/bash -> ../usr/bin/bash (a soft link) and /usr/bin/bash exists. So maybe the upgrade removes the soft link rather than moving the executable. I may try the upgrade of bash this weekend and see if that is the issue.
karog
 
Posts: 183
Joined: Thu Jan 05, 2012 7:55 pm

Re: Pogoplug B01 - Shellshock Bash Bug - fixable?

Postby WarheadsSE » Mon Oct 06, 2014 6:51 pm

The newer version expects /bin itself to be a link to /usr/bin .. so yes, it does not contain such a link.
Core Developer
Remember: Arch Linux ARM is entirely community donation supported!
WarheadsSE
Developer
 
Posts: 6729
Joined: Mon Oct 18, 2010 2:12 pm

Re: Pogoplug B01 - Shellshock Bash Bug - fixable?

Postby moonman » Tue Oct 07, 2014 4:38 am

I don't see why everyone is worried about this bug. Does anyone have privilidged shell access to your box? If yes you should worry, if not it really is not a big deal. Shared hosting might be affected, yes, as you may be able to gain access to somebody else's account or root, but a box that only you have access to - no.
Pogoplug V4 | GoFlex Home | Raspberry Pi B 512 | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | |[armv5] How to install my.pogoplug.com service | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3089
Joined: Sat Jan 15, 2011 3:36 am
Location: Calgary, Canada

Re: Pogoplug B01 - Shellshock Bash Bug - fixable?

Postby greenman » Tue Oct 07, 2014 12:40 pm

Everyone -- again thanks for all the replies, explanations and considerations. I'm puttering on this in my spare time, so thanks for your patience when I don't reply immediately.

@bodhi -- Are these the forum threads being referred to?
http://forum.doozan.com/read.php?2,1604 ... #msg-17712
http://forum.doozan.com/read.php?3,16017

I'll give these a thorough read and then give your directions a try. Thank you.

@WarheadsSE, @karog -- If you do find that spare eureka moment one weekend, I hope you'll share your results. Cheers.

@moonman, I imagine there are few instances where an unsecured pogoplug poses a threat to someone's home network. I don't have a red phone on my desk or any data or information in my home network worth the time of anyone but friends and family. But not a few experts consider this exploit to be much worse than heartbleed. I just keep thinking that if a security risk is relatively easy to fix, it's better to plug the risk than to live with it. Recently I've been transferring all the capabilities that I like in my B01 to a raspberry pi. I'll likely shut down the B01 and wipe it if those in the pogoplug b01 community with the background and opportunity deem it's continued security less than supportable.
POGO-B01
greenman
 
Posts: 24
Joined: Tue Apr 17, 2012 8:03 pm

Re: Pogoplug B01 - Shellshock Bash Bug - fixable?

Postby moonman » Tue Oct 07, 2014 8:31 pm

My point wasn't "this is a home device so who cares". The point is that if nobody has access to shell on your device except for you there is no threat. To get to bash you first need to get through ssh authentication. If somebody does guess your password you are screwed anyway regardless if there is a bash bug or not.
On shared hosting on the other hand ssh access is given to multiple people with a restricted access. With that bash bug someone can gain access to other people's resources.
Pogoplug V4 | GoFlex Home | Raspberry Pi B 512 | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | |[armv5] How to install my.pogoplug.com service | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3089
Joined: Sat Jan 15, 2011 3:36 am
Location: Calgary, Canada

Re: Pogoplug B01 - Shellshock Bash Bug - fixable?

Postby bodhi » Fri Oct 10, 2014 6:59 am

@greenman,

Yes. They are.
bodhi
 
Posts: 224
Joined: Sat Aug 13, 2011 10:06 am

Previous

Return to Community Supported

Who is online

Users browsing this forum: No registered users and 1 guest

cron