[guardian-dev] Update your servers for real

Hans-Christoph Steiner hans at guardianproject.info
Fri Sep 26 13:24:51 EDT 2014


Another reason why bash should never be your /bin/sh.  For scripts that need
bash, they can easily use the shebang #!/bin/bash.  dash provides a more
secure, faster /bin/sh that is /bin/sh without unneeded extras.

.hc

Chris Ballinger wrote:
> Saw this SIP server Shellshock scanner today:
> https://github.com/zaf/sipshock
> 
>> The exec module in Kamailio, Opensips and propably every other SER fork
> passes the received SIP headers as environment viarables to the invoking
> shell. This makes these SIP proxies vulnerable to CVE-2014-6271 (Bash
> Shellshock). If a proxy is using any of the exec funtions and has the
> 'setvars' parameter set to 1 (default) then by sending SIP message
> containing a specially crafted header we can run arbitrary code on the
> proxy machine.
> 
> Every time I read about the Shellshock vulnerability I get flashbacks to
> this SNES game: https://www.youtube.com/watch?v=lASNUQ7M8gs
> 
> On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello <lee at guardianproject.info>
> wrote:
> 
> Weird. I'm using a Wheezy base install built via debootstrap on an
> Open Hosting container. It uses bash by default for the root user.
> Perhaps debootstrap or my platform build scripts override the default
> shell for root to be bash?
> 
> Anyhoo, I think most people prefer Bash because it is very close to a
> real programming language. This shellshock shitstorm might be a
> setback for popular programming culture.
> 
> -lee
> 
> On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote:
>>>>
>>>> That's for "Lenny users:".  See this section:
>>>>
>>>> Squeeze users:
>>>>
>>>> * Dash is always installed. * /bin/sh is dash by default (even for
>>>> upgraded systems).
>>>>
>>>> .hc
>>>>
>>>> Lee Azzarello wrote:
>>>>> I'm confused. The article you linked is instructions to install
>>>>> dash and configure a base system to use it as default. Am I
>>>>> misunderstanding something?
>>>>>
>>>>> -lee
>>>>>
>>>>> On Thursday, September 25, 2014, Hans-Christoph Steiner <
>>>>> hans at guardianproject.info> wrote:
>>>>>
>>>>>>
>>>>>> dash is still the default /bin/sh, for speed and security, but
>>>>>> you can change that to bash if you want:
>>>>>> https://wiki.debian.org/DashAsBinSh
>>>>>>
>>>>>> Ubuntu also uses dash by default:
>>>>>> https://wiki.ubuntu.com/DashAsBinSh
>>>>>>
>>>>>> .hc
>>>>>>
>>>>>> Lee Azzarello wrote:
>>>>>>> This output is from a Debian stable base system built with
>>>>>>> debootstrap and no additional packages installed.
>>>>>>>
>>>>>>> root at debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 Jun 17
>>>>>>> 21:47 /bin/sh -> bash
>>>>>>>
>>>>>>> I don't think Debian has used Dash since Sarge.
>>>>>>>
>>>>>>> -lee
>>>>>>>
>>>>>>> On 9/25/14, 1:36 PM, Dev Random wrote:
>>>>>>>> This seems mitigated by the fact that /bin/sh is -> dash on
>>>>>>>> debian. So unless something does explicitly #!/bin/bash,
>>>>>>>> things should be okay.
>>>>>>>
>>>>>>>> BTW, there's a related vuln that's not fixed yet -
>>>>>>>> CVE-2014-7169 https://news.ycombinator.com/item?id=8365158
>>>>>>>
>>>>>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote:
>>>>>>>>> A remote code execution bug was found in the GNU Bash
>>>>>>>>> shell.
>>>>>>>>>
>>>>>>>>> http://seclists.org/oss-sec/2014/q3/650
>>>>>>>>>
>>>>>>>>> I tested it on Debian stable from two days ago and
>>>>>>>>> indeed, I could execute code after a function definition
>>>>>>>>> in an environment variable. A server I updated yesterday
>>>>>>>>> evening was not vulnerable, as the Debian team got a
>>>>>>>>> patch released quite fast.
>>>>>>>>>
>>>>>>>>> This effects any server you run any code on, though the
>>>>>>>>> remote code execution attack vector is unlikely for many
>>>>>>>>> contemporary application servers. Read the write up for
>>>>>>>>> details about a proof of concept.
>>>>>>>>>
>>>>>>>>> Good Morning!
>>>>>>>>>
>>>>>>>>> -lee _______________________________________________
>>>>>>>>> Guardian-dev mailing list
>>>>>>>>>
>>>>>>>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;> List
>>>>>>>>> info:
>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>>>
>>>>>>>>> To Unsubscribe Send email to:
>>>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
>>>>>>>>> <javascript:;> Or visit:
>>>>>>>>>
>>>>>>
> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>>
> You are subscribed as: c1.android at niftybox.net <javascript:;>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________ Guardian-dev
>>>>>>> mailing list
>>>>>>>
>>>>>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;> List
>>>>>>> info:
>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>
>>>>>>> To Unsubscribe Send email to:
>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
>>>>>> <javascript:;>
>>>>>>> Or visit:
>>>>>>
> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>>>>>>
>>>>>>>
>>>>>>
> You are subscribed as: hans at guardianproject.info <javascript:;>
>>>>>>>
>>>>>>
>>>>>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587
>>>>>> 374B BE81 _______________________________________________
>>>>>> Guardian-dev mailing list
>>>>>>
>>>>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;> List info:
>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>
>>>>>> To Unsubscribe Send email to:
>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org <javascript:;> Or
>>>>>> visit:
>>>>>>
> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info
>>>>>>
>>>>>>
>>>>>>
> You are subscribed as: lee at guardianproject.info <javascript:;>
>>>>>>
>>>>>
>>>>
> 
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>         Or visit:
>> https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com
>>
>> You are subscribed as: chrisballinger at gmail.com
>>
> 
> 
> 
> _______________________________________________
> Guardian-dev mailing list
> 
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> 
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
> 
> You are subscribed as: hans at guardianproject.info
> 

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81


More information about the Guardian-dev mailing list