<div dir="ltr">Saw this SIP server Shellshock scanner today: <a href="https://github.com/zaf/sipshock">https://github.com/zaf/sipshock</a><br><div><br></div><div>> The exec module in Kamailio, Opensips and propably every other SER fork passes the received SIP headers as environment viarables to the invoking shell. This makes these SIP proxies vulnerable to CVE-2014-6271 (Bash Shellshock). If a proxy is using any of the exec funtions and has the 'setvars' parameter set to 1 (default) then by sending SIP message containing a specially crafted header we can run arbitrary code on the proxy machine.</div><div><br></div><div>Every time I read about the Shellshock vulnerability I get flashbacks to this SNES game: <a href="https://www.youtube.com/watch?v=lASNUQ7M8gs">https://www.youtube.com/watch?v=lASNUQ7M8gs</a><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello <span dir="ltr"><<a href="mailto:lee@guardianproject.info" target="_blank">lee@guardianproject.info</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</span>Weird. I'm using a Wheezy base install built via debootstrap on an<br>
Open Hosting container. It uses bash by default for the root user.<br>
Perhaps debootstrap or my platform build scripts override the default<br>
shell for root to be bash?<br>
<br>
Anyhoo, I think most people prefer Bash because it is very close to a<br>
real programming language. This shellshock shitstorm might be a<br>
setback for popular programming culture.<br>
<br>
- -lee<br>
<div><div class="h5"><br>
On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote:<br>
><br>
> That's for "Lenny users:".  See this section:<br>
><br>
> Squeeze users:<br>
><br>
> * Dash is always installed. * /bin/sh is dash by default (even for<br>
> upgraded systems).<br>
><br>
> .hc<br>
><br>
> Lee Azzarello wrote:<br>
>> I'm confused. The article you linked is instructions to install<br>
>> dash and configure a base system to use it as default. Am I<br>
>> misunderstanding something?<br>
>><br>
>> -lee<br>
>><br>
>> On Thursday, September 25, 2014, Hans-Christoph Steiner <<br>
>> <a href="mailto:hans@guardianproject.info">hans@guardianproject.info</a>> wrote:<br>
>><br>
>>><br>
>>> dash is still the default /bin/sh, for speed and security, but<br>
>>> you can change that to bash if you want:<br>
>>> <a href="https://wiki.debian.org/DashAsBinSh" target="_blank">https://wiki.debian.org/DashAsBinSh</a><br>
>>><br>
>>> Ubuntu also uses dash by default:<br>
>>> <a href="https://wiki.ubuntu.com/DashAsBinSh" target="_blank">https://wiki.ubuntu.com/DashAsBinSh</a><br>
>>><br>
>>> .hc<br>
>>><br>
>>> Lee Azzarello wrote:<br>
>>>> This output is from a Debian stable base system built with<br>
>>>> debootstrap and no additional packages installed.<br>
>>>><br>
>>>> root@debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 Jun 17<br>
>>>> 21:47 /bin/sh -> bash<br>
>>>><br>
>>>> I don't think Debian has used Dash since Sarge.<br>
>>>><br>
>>>> -lee<br>
>>>><br>
>>>> On 9/25/14, 1:36 PM, Dev Random wrote:<br>
>>>>> This seems mitigated by the fact that /bin/sh is -> dash on<br>
>>>>> debian. So unless something does explicitly #!/bin/bash,<br>
>>>>> things should be okay.<br>
>>>><br>
>>>>> BTW, there's a related vuln that's not fixed yet -<br>
>>>>> CVE-2014-7169 <a href="https://news.ycombinator.com/item?id=8365158" target="_blank">https://news.ycombinator.com/item?id=8365158</a><br>
>>>><br>
>>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote:<br>
>>>>>> A remote code execution bug was found in the GNU Bash<br>
>>>>>> shell.<br>
>>>>>><br>
>>>>>> <a href="http://seclists.org/oss-sec/2014/q3/650" target="_blank">http://seclists.org/oss-sec/2014/q3/650</a><br>
>>>>>><br>
>>>>>> I tested it on Debian stable from two days ago and<br>
>>>>>> indeed, I could execute code after a function definition<br>
>>>>>> in an environment variable. A server I updated yesterday<br>
>>>>>> evening was not vulnerable, as the Debian team got a<br>
>>>>>> patch released quite fast.<br>
>>>>>><br>
>>>>>> This effects any server you run any code on, though the<br>
>>>>>> remote code execution attack vector is unlikely for many<br>
>>>>>> contemporary application servers. Read the write up for<br>
>>>>>> details about a proof of concept.<br>
>>>>>><br>
>>>>>> Good Morning!<br>
>>>>>><br>
>>>>>> -lee _______________________________________________<br>
>>>>>> Guardian-dev mailing list<br>
>>>>>><br>
>>>>>> Post: <a href="mailto:Guardian-dev@lists.mayfirst.org">Guardian-dev@lists.mayfirst.org</a> <javascript:;> List<br>
>>>>>> info:<br>
>>>>>> <a href="https://lists.mayfirst.org/mailman/listinfo/guardian-dev" target="_blank">https://lists.mayfirst.org/mailman/listinfo/guardian-dev</a><br>
>>>>>><br>
>>>>>> To Unsubscribe Send email to:<br>
>>>>>> <a href="mailto:Guardian-dev-unsubscribe@lists.mayfirst.org">Guardian-dev-unsubscribe@lists.mayfirst.org</a><br>
>>>>>> <javascript:;> Or visit:<br>
>>>>>><br>
>>> <a href="https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net" target="_blank">https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net</a><br>
>>>>>><br>
>>>>>><br>
>>>>>><br>
>>>><br>
>>><br>
You are subscribed as: <a href="mailto:c1.android@niftybox.net">c1.android@niftybox.net</a> <javascript:;><br>
>>>><br>
>>>><br>
>>>> _______________________________________________ Guardian-dev<br>
>>>> mailing list<br>
>>>><br>
>>>> Post: <a href="mailto:Guardian-dev@lists.mayfirst.org">Guardian-dev@lists.mayfirst.org</a> <javascript:;> List<br>
>>>> info:<br>
>>>> <a href="https://lists.mayfirst.org/mailman/listinfo/guardian-dev" target="_blank">https://lists.mayfirst.org/mailman/listinfo/guardian-dev</a><br>
>>>><br>
>>>> To Unsubscribe Send email to:<br>
>>>> <a href="mailto:Guardian-dev-unsubscribe@lists.mayfirst.org">Guardian-dev-unsubscribe@lists.mayfirst.org</a><br>
>>> <javascript:;><br>
>>>> Or visit:<br>
>>> <a href="https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info" target="_blank">https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info</a><br>
>>>><br>
>>>><br>
>>><br>
You are subscribed as: <a href="mailto:hans@guardianproject.info">hans@guardianproject.info</a> <javascript:;><br>
>>>><br>
>>><br>
>>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587<br>
>>> 374B BE81 _______________________________________________<br>
>>> Guardian-dev mailing list<br>
>>><br>
>>> Post: <a href="mailto:Guardian-dev@lists.mayfirst.org">Guardian-dev@lists.mayfirst.org</a> <javascript:;> List info:<br>
>>> <a href="https://lists.mayfirst.org/mailman/listinfo/guardian-dev" target="_blank">https://lists.mayfirst.org/mailman/listinfo/guardian-dev</a><br>
>>><br>
>>> To Unsubscribe Send email to:<br>
>>> <a href="mailto:Guardian-dev-unsubscribe@lists.mayfirst.org">Guardian-dev-unsubscribe@lists.mayfirst.org</a> <javascript:;> Or<br>
>>> visit:<br>
>>> <a href="https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info" target="_blank">https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info</a><br>
>>><br>
>>><br>
>>><br>
You are subscribed as: <a href="mailto:lee@guardianproject.info">lee@guardianproject.info</a> <javascript:;><br>
>>><br>
>><br>
><br>
<br>
</div></div><span class="">-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1<br>
<br>
</span>iQIcBAEBAgAGBQJUJNVZAAoJEKhL9IoSyjdlQVQP/iQYtoX6gUgUf8Q2MoExajx7<br>
Q1ul0s/R0xn6eAl3Fe9hDgKF7/H4jM7CyTxyRpeWkhgaJ4gTiMcqblABoGszMiDp<br>
HrpPHhXhcgq2IKSAELRzfkvHooJIRVE9QyQb1K4+W2kqRbDD1JWCZj4KVFt8dTBK<br>
9KFsGZ8nJdqM8t63YA4u5INVYbRWa/gCPesjMaOrL95t8F5OvMsFKgxMtuZj44XK<br>
tiOhevYcp9zWP1XIoMRpazGkFUTx9KY6hRVz4QD6yw9/LL1B2qI7M7IkqV3+i0dK<br>
7K2mQAoVRE+P6c7QGID5HLH8T5sWNll8cQnuasZo8ElQbHLPv4SWjqRBMXFgFV1P<br>
eDz3mpDVjC4gi1AP7BBTvqaYOMj42U8coP9RI0/CTbCsR+DX1IkjkkcWDqPOj2Gi<br>
zLdGRP4N9hfMfcERtp7FeS8tG6lW8px2EstU3UwLTMRBXtmnREXJOBPGK8L6Wb/T<br>
dp0VXO+kjrPV8xArD5GbvzqCs+ZvH6kTh2z6vU6TuldA+6LhY+15rvMzey5BwnOK<br>
M2ZwTOBLCx8wmyJVvH5qObYVYFAleV+oYL55LINOfo4b+xwZr7L9Vj6vpUTWVybI<br>
xx3F9csoklTFfycIGg5qdvQnqulq1yOcdagIHpKratKkmE+igcflAXD2WQMrZO3P<br>
DxKtFq25bpwMo5HOxuBn<br>
=gzNg<br>
-----END PGP SIGNATURE-----<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Guardian-dev mailing list<br>
<br>
Post: <a href="mailto:Guardian-dev@lists.mayfirst.org">Guardian-dev@lists.mayfirst.org</a><br>
List info: <a href="https://lists.mayfirst.org/mailman/listinfo/guardian-dev" target="_blank">https://lists.mayfirst.org/mailman/listinfo/guardian-dev</a><br>
<br>
To Unsubscribe<br>
  Â  Â  Â  Send email to:  <a href="mailto:Guardian-dev-unsubscribe@lists.mayfirst.org">Guardian-dev-unsubscribe@lists.mayfirst.org</a><br>
  Â  Â  Â  Or visit: <a href="https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com" target="_blank">https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com</a><br>
<br>
You are subscribed as: <a href="mailto:chrisballinger@gmail.com">chrisballinger@gmail.com</a><br>
</div></div></blockquote></div><br></div>