The following transcript illustraits the problem:
Tomato v1.28.0000 MIPSR2-121 K26AC USB AIO-64K
-bash-4.2$ export x='() { :;}; echo vulnerable'
-bash-4.2$ bash -c "echo this is a test"
vulnerable
this is a test
-bash-4.2$
In a nutshell is if the user can set ANY string that it is assigned to an environmental variable the system is vulnerable. It is not uncommon for processes to set values passed in by the user as environmental variables before spawning an shell instance such as a shell script using bash. In this case the biggest danger is shell scripts, as the default shell for busybox systems is still ash, even whin bash is installed from entware. On my own router I found I was vulnerable by several cron scripts I had written that pass values from DNS lookups that could be potentially hacked to add such a magic string by anyone with access to the DNS server. Here are some articles that describe the issue further:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
https://access.redhat.com/articles/1200223
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
