[guardian-dev] Update your servers for real
Chris Ballinger
chrisballinger at gmail.com
Fri Sep 26 13:02:40 EDT 2014
Saw this SIP server Shellshock scanner today:
https://github.com/zaf/sipshock
> The exec module in Kamailio, Opensips and propably every other SER fork
passes the received SIP headers as environment viarables to the invoking
shell. This makes these SIP proxies vulnerable to CVE-2014-6271 (Bash
Shellshock). If a proxy is using any of the exec funtions and has the
'setvars' parameter set to 1 (default) then by sending SIP message
containing a specially crafted header we can run arbitrary code on the
proxy machine.
Every time I read about the Shellshock vulnerability I get flashbacks to
this SNES game: https://www.youtube.com/watch?v=lASNUQ7M8gs
On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello <lee at guardianproject.info>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Weird. I'm using a Wheezy base install built via debootstrap on an
> Open Hosting container. It uses bash by default for the root user.
> Perhaps debootstrap or my platform build scripts override the default
> shell for root to be bash?
>
> Anyhoo, I think most people prefer Bash because it is very close to a
> real programming language. This shellshock shitstorm might be a
> setback for popular programming culture.
>
> - -lee
>
> On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote:
> >
> > That's for "Lenny users:". See this section:
> >
> > Squeeze users:
> >
> > * Dash is always installed. * /bin/sh is dash by default (even for
> > upgraded systems).
> >
> > .hc
> >
> > Lee Azzarello wrote:
> >> I'm confused. The article you linked is instructions to install
> >> dash and configure a base system to use it as default. Am I
> >> misunderstanding something?
> >>
> >> -lee
> >>
> >> On Thursday, September 25, 2014, Hans-Christoph Steiner <
> >> hans at guardianproject.info> wrote:
> >>
> >>>
> >>> dash is still the default /bin/sh, for speed and security, but
> >>> you can change that to bash if you want:
> >>> https://wiki.debian.org/DashAsBinSh
> >>>
> >>> Ubuntu also uses dash by default:
> >>> https://wiki.ubuntu.com/DashAsBinSh
> >>>
> >>> .hc
> >>>
> >>> Lee Azzarello wrote:
> >>>> This output is from a Debian stable base system built with
> >>>> debootstrap and no additional packages installed.
> >>>>
> >>>> root at debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 Jun 17
> >>>> 21:47 /bin/sh -> bash
> >>>>
> >>>> I don't think Debian has used Dash since Sarge.
> >>>>
> >>>> -lee
> >>>>
> >>>> On 9/25/14, 1:36 PM, Dev Random wrote:
> >>>>> This seems mitigated by the fact that /bin/sh is -> dash on
> >>>>> debian. So unless something does explicitly #!/bin/bash,
> >>>>> things should be okay.
> >>>>
> >>>>> BTW, there's a related vuln that's not fixed yet -
> >>>>> CVE-2014-7169 https://news.ycombinator.com/item?id=8365158
> >>>>
> >>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote:
> >>>>>> A remote code execution bug was found in the GNU Bash
> >>>>>> shell.
> >>>>>>
> >>>>>> http://seclists.org/oss-sec/2014/q3/650
> >>>>>>
> >>>>>> I tested it on Debian stable from two days ago and
> >>>>>> indeed, I could execute code after a function definition
> >>>>>> in an environment variable. A server I updated yesterday
> >>>>>> evening was not vulnerable, as the Debian team got a
> >>>>>> patch released quite fast.
> >>>>>>
> >>>>>> This effects any server you run any code on, though the
> >>>>>> remote code execution attack vector is unlikely for many
> >>>>>> contemporary application servers. Read the write up for
> >>>>>> details about a proof of concept.
> >>>>>>
> >>>>>> Good Morning!
> >>>>>>
> >>>>>> -lee _______________________________________________
> >>>>>> Guardian-dev mailing list
> >>>>>>
> >>>>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;> List
> >>>>>> info:
> >>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> >>>>>>
> >>>>>> To Unsubscribe Send email to:
> >>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
> >>>>>> <javascript:;> Or visit:
> >>>>>>
> >>>
> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>>
> You are subscribed as: c1.android at niftybox.net <javascript:;>
> >>>>
> >>>>
> >>>> _______________________________________________ Guardian-dev
> >>>> mailing list
> >>>>
> >>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;> List
> >>>> info:
> >>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> >>>>
> >>>> To Unsubscribe Send email to:
> >>>> Guardian-dev-unsubscribe at lists.mayfirst.org
> >>> <javascript:;>
> >>>> Or visit:
> >>>
> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
> >>>>
> >>>>
> >>>
> You are subscribed as: hans at guardianproject.info <javascript:;>
> >>>>
> >>>
> >>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587
> >>> 374B BE81 _______________________________________________
> >>> Guardian-dev mailing list
> >>>
> >>> Post: Guardian-dev at lists.mayfirst.org <javascript:;> List info:
> >>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> >>>
> >>> To Unsubscribe Send email to:
> >>> Guardian-dev-unsubscribe at lists.mayfirst.org <javascript:;> Or
> >>> visit:
> >>>
> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info
> >>>
> >>>
> >>>
> You are subscribed as: lee at guardianproject.info <javascript:;>
> >>>
> >>
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBAgAGBQJUJNVZAAoJEKhL9IoSyjdlQVQP/iQYtoX6gUgUf8Q2MoExajx7
> Q1ul0s/R0xn6eAl3Fe9hDgKF7/H4jM7CyTxyRpeWkhgaJ4gTiMcqblABoGszMiDp
> HrpPHhXhcgq2IKSAELRzfkvHooJIRVE9QyQb1K4+W2kqRbDD1JWCZj4KVFt8dTBK
> 9KFsGZ8nJdqM8t63YA4u5INVYbRWa/gCPesjMaOrL95t8F5OvMsFKgxMtuZj44XK
> tiOhevYcp9zWP1XIoMRpazGkFUTx9KY6hRVz4QD6yw9/LL1B2qI7M7IkqV3+i0dK
> 7K2mQAoVRE+P6c7QGID5HLH8T5sWNll8cQnuasZo8ElQbHLPv4SWjqRBMXFgFV1P
> eDz3mpDVjC4gi1AP7BBTvqaYOMj42U8coP9RI0/CTbCsR+DX1IkjkkcWDqPOj2Gi
> zLdGRP4N9hfMfcERtp7FeS8tG6lW8px2EstU3UwLTMRBXtmnREXJOBPGK8L6Wb/T
> dp0VXO+kjrPV8xArD5GbvzqCs+ZvH6kTh2z6vU6TuldA+6LhY+15rvMzey5BwnOK
> M2ZwTOBLCx8wmyJVvH5qObYVYFAleV+oYL55LINOfo4b+xwZr7L9Vj6vpUTWVybI
> xx3F9csoklTFfycIGg5qdvQnqulq1yOcdagIHpKratKkmE+igcflAXD2WQMrZO3P
> DxKtFq25bpwMo5HOxuBn
> =gzNg
> -----END PGP SIGNATURE-----
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> Or visit:
> https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com
>
> You are subscribed as: chrisballinger at gmail.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140926/e0db87d0/attachment.html>
More information about the Guardian-dev
mailing list