• March 28, 2024, 10:55:49 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: Are D-Link cameras vulnerable to Shellshock (bash shell bug)?  (Read 3641 times)

GaryNY

  • Level 2 Member
  • **
  • Posts: 60
Are D-Link cameras vulnerable to Shellshock (bash shell bug)?
« on: September 26, 2014, 10:22:48 AM »

I'm wondering if any of the D-Link cameras are vulnerable to the recently discovered shellshock bug (a bug in the Unix/Linux bash shell)? If they are, I wonder if a fix will be released, and in the mean time, if they are vulnerable, I would disable the uPNP port forwarding in my router, to make them not directly exposed to the internet. I expect this would reduce the risk considerably. To help me decide whether port forwarding is now too risky, I would like to know if there's any vulnerability.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

GaryNY

  • Level 2 Member
  • **
  • Posts: 60
Re: Are D-Link cameras vulnerable to Shellshock (bash shell bug)?
« Reply #2 on: September 26, 2014, 10:45:54 AM »

OK, thanks for the quick response.  Based on that, it appears there should be no vulnerability. In general though, I've read web applications utilizing cgi or php could be exploited by sending a specially crafted URL, but this also requires that bash be the default shell (c or ksh could also be the default). I do note that many D-Link cameras do support cgi (for example, http://<ip-address>/image/jpeg.cgi?profileid=1 will return an image, so I wondered if it was possible to reach bash by altering this URL... sounds like the answer is no).
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Are D-Link cameras vulnerable to Shellshock (bash shell bug)?
« Reply #3 on: September 26, 2014, 10:49:12 AM »

You are correct. Even if it could be done, still need the log in information to gain access from the WAN side I believe. You can just arbitrarily send code to a device with out several processes being met from the WAN side.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

GaryNY

  • Level 2 Member
  • **
  • Posts: 60
Re: Are D-Link cameras vulnerable to Shellshock (bash shell bug)?
« Reply #4 on: September 26, 2014, 11:02:04 AM »

Good point, I think you are correct about that, I can't use that cgi link without first logging in, and my camera requires a login.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Are D-Link cameras vulnerable to Shellshock (bash shell bug)?
« Reply #5 on: September 26, 2014, 11:13:33 AM »

 ;)
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.