Hi Hannah,
> hi peter. I've tested various builds of busybox ash myself and haven't
> found the vuln applies. could you supply some more details?
It is a QNAP NAS TS-239 Pro2.
> were you testing with the () {} string in an HTTP header?
No, the web server does not respond anymore.
>> Peter Ross wrote:
>>> I have an older QNAP NAS appliance (used for backup) that is vulnerable
>>> as well.
[~] # x='() { :;}; echo VULNERABLE' bash -c :
-sh: bash: command not found
[~] # x='() { :;}; echo VULNERABLE' sh -c :
VULNERABLE
[~] # sh --version
GNU bash, version 3.2.0(17)-release (i686-pc-linux-gnu)
Copyright (C) 2005 Free Software Foundation, Inc.
[~] # uname -a
Linux backup 2.6.30.6 #1 SMP Sat Apr 10 06:48:32 CST 2010 i686 unknown
>>> AFAIK Busybox uses ash.
[as Wikipedia says]
Obviously not his one. It has a lot of symlinks to busybox on /bin but its
shell is bash.
Maybe I do a re-install of "something". I am not sure at the moment. It
only copies directories and files to it on the weekly base with external
disks used to back them up permanently (and partially off-site)
If I put the disks somewhere else I do not need the box anymore. It was
just a handy box already in place before I started here.
Regards
Peter
_______________________________________________
luv-main mailing list
[email protected]
http://lists.luv.asn.au/listinfo/luv-main
