Bash test

[eastof111]

After reading the PC World article, I thought I would check what would happen with the ATV image I am currently running, so.......

started putty and typed the following:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

to see if the system is vulnerable to the Bash bug, and I received the following display:

vulnerable
this is a test

[Only registered and activated users can see links. ]


For the heck of it, will also check other images to see if they are vulnerable too.

From PC World magazine:

[Only registered and activated users can see links. ]

How to keep your computer safe from the Shellshock bug

Nothing drastic, if you’re an average computer user. If your computer is tucked safely behind a firewall—as it should be—the impact on you should be minimal, since attackers won’t have any way to execute malicious code through the Bash shell on your system unless they trick you into running the command locally somehow. Shellshock is more dangerous for web servers and devices that "listen" for Internet commands than home PCs.

[el bandido]

It looks like OpenPli has fixed this problem.
[Only registered and activated users can see links. ]

There is also a firewall plugin available for extra protection.

[eastof111]

Cool..... glad they're aware of the problem.

Just updated ATV and they had a bunch of module updates and upon reboot it gets stuck at booting 79, so I guess tomorrow will have to restore.

[eastof111]

OpenSPA 3.2 is vulnerable too.... but they show updates available but I haven't upgraded yet.

[Pale-Rider]

Actually Pli were not aware of the issue as can be seen here.

Code:

http://forums.openpli.org/topic/35174-stb-vulnerable/

[eastof111]

Well, I guess as long as we have a good firewall, we should be ok per the article.

[eastof111]

"There is also a firewall plugin available for extra protection."

I've never tried the plugin on any of the images. I always thought the router firewall was sufficient plus on my PC I also use Kaspersky to control what goes in and out. I also used Norton's site and a few others to check ports and they always showed as being in stealth mode.

[el bandido]

Actually Pli were not aware of the issue as can be seen here.

Code:

http://forums.openpli.org/topic/35174-stb-vulnerable/

Do not know if that would apply to all Core Members or not. Here is a quote from Milo:

The standard OpenPLi box is NOT vulnerable because it does not run bash. If you have manually installed "bash", then the box may become vulnerable. However, you'll also need something to expose the shell to the outside, which is something that the webinterface does not do.

I do not think the bug is much of an issue with a fta receiver, but good to see OpenPli pass the test.

The Duo2 images from OenPli are very well designed. I appreciate the work they do very much!