VXers Shellshocking embedded BusyBox boxen Malware writers have crafted new wares to attack embedded devices running BusyBox and not yet patched against the ShellShock vulnerability, researcher Rhena Inocencio says. Miscreants' tool of choice for such attacks is malware called "Bashlite" that, once executed on a victim machine, probes for devices such as routers and …
Putting both on an embedded system would be surprising, but not difficult. Busybox is a single program containing cut down versions of commands you select from an extensive list that includes alternatives to bash. It can be static linked, which saves space when there are only one or two separate programs. Bash has lots of handy features that were added for people's convenience without worrying much about how much space they require.
Storage is so cheap that using bash + coreutils + the full version of anything in crammed into busybox + all the required shared libraries will still fit into a really cheap flash chip. Despite that, I found no copies of bash on any embedded system I use.
The ease of exploitation and the damage an embedded system can do make it worth checking to see if any use bash. If you find one, please speak up. Somewhere on this planet there must be at least one embedded system vulnerable to shellshock. A vPint to the fellow commentard who finds it.
Flocke Kroes Im probably wrong but my understanding from the article is that they seem to be using one shellshock vulnerable device as a beachead from which to launch brute force login attacks against other devices on the same network as the shellshocked device, not that busybox itself is vulnerable.
I looked into the idea of pivoting from one device onto an internal network in a vaguely similar way using a web browser and javascript xmlhttprequests to spam shellshock payload onto the browsers internal lan: http://gogle-analytics.com/QNAP/ to demonstrate to a friend their device might not be safe.
The story is poorly written. From other sources what appears to be happening is that miscreants are looking for unpatched systems that are vulnerable to shellshock, and then taking over those to use as a platform from which to launch password guessing attacks on other systems.
Of course if your password is "1234" or "password", then those systems are vulnerable to a password attack from any source. In addition, if you had a system which was vulnerable to shellshock (many weren't) and haven't patched for it, then lots of different things can be done to it.
In other words, there is no shellshock in Busybox, but weak passwords can be a problem (surprise, surprise).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
