Because I publish a lot of articles on DD-WRT router firmware, and I also recently published an article on patching the Shellshock bug on older Fedora-based Linux systems, I’ve been receiving a lot of emails asking if DD-WRT firmware is affected by the Shellshock Bash bug. The answer is… maybe.
By default, the shell used by DD-WRT is displayed when you ssh into your router:
BusyBox v1.21.0 (2014-06-07 21:56:38 CEST) built-in shell (ash)
The built-in BusyBox “ash” shell is different than Bash, and I’ve run the exploit tests from my Fedora Shellshock article against ash in DD-WRT and got the following results:
root@dd-wrt:# env x='() { :;}; echo vulnerable' ash -c "echo this is a test" this is a test root@dd-wrt:# cd /tmp; env X='() { (a)=>\' ash -c "echo date"; cat echo date root@dd-wrt:# env -i X=' () { }; echo hello' ash -c 'date' Mon Sep 29 09:35:29 UTC 2014 root@dd-wrt:# ash -c 'true <
Although the word “vulnerable” appears in the last test, that’s just being echo’d out by the last command in the test, and isn’t actually being parsed or interpreted by the ash shell, as you can see from the “syntax error” complaint above it.
So the good news is that the default ash shell in DD-WRT is not affected by the Shellshock bug.
Now the bad news…
If you’ve installed OptWare on your DD-WRT router (if you don’t know what OptWare is… relax, because that means you haven’t installed it), Bash was installed on your DD-WRT router with OptWare. And the Bash shell installed with OptWare is vulnerable to the Shellshock bug, as users on the DD-WRT forums are reporting after running the exploit tests.
However…
Kong, one of the well-known developers who contributes to DD-WRT, has pointed out that even though the version of Bash installed with OptWare on DD-WRT is technically vulnerable to Shellshock:
you first need a service that is exposed to wan and this service needs to make use of bash. Thus installing bash through optware causes no risk unless you run any app that is directly accessible through wan and utilizes bash.
Kong has also said:
The only way the shellshock bug could be exploited is, that a user installs an app, e.g. apache that uses cgi to call bash and is available from wan.
There are only a handful apps in optware which could cause a problem and most of them won’t be used on the older routers as, they are much too weak to run these e.g. apache and they have to be configured in a certain way and have to be exposed to wan. I think if anyone managed have such a thing in place he knows what he is doing and should be able to reconfigure it in order to not use bash or update it.
All standard dd-wrt apps, that come with the firmware don’t use bash but busybox shell and thus not affected, even if you install bash. Thus if you have bash installed and activated lighttpd on newer build it is no problem. Same for webif or other apps that come with the firmware.
So the bottom line that even if you have Bash installed with OptWare on your DD-WRT router, and that Bash shell is technically not patched against the Shellshock bug, it’s highly unlikely that your Bash shell is exposed to the Internet, and therefore won’t be exploited by hackers.
That said, I wouldn’t be surprised to see DD-WRT developers moving to patch Bash on DD-WRT / OptWare soon… an once they do, I’ll update this post with instructions on how to perform that patch.