[guardian-dev] Update your servers for real
Lee Azzarello
lee at guardianproject.info
Sat Sep 27 04:26:09 EDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris, you rule thanks. This is the first peep about SIP security I
have /ever received from anyone at any time/. I'm checking the server
but I don't think I'm using that module. I don't have to execute shell
scripts for anything on the Kamailio layer in ostel.co. I also updated
the shell a few hours after the public announcement of the exploit so
it should be moot but the escalating panic is stronk.
- -lee
On 9/26/14, 1:02 PM, Chris Ballinger wrote:
> Saw this SIP server Shellshock scanner today:
> https://github.com/zaf/sipshock
>
>> The exec module in Kamailio, Opensips and propably every other
>> SER
> fork passes the received SIP headers as environment viarables to
> the invoking shell. This makes these SIP proxies vulnerable to
> CVE-2014-6271 (Bash Shellshock). If a proxy is using any of the
> exec funtions and has the 'setvars' parameter set to 1 (default)
> then by sending SIP message containing a specially crafted header
> we can run arbitrary code on the proxy machine.
>
> Every time I read about the Shellshock vulnerability I get
> flashbacks to this SNES game:
> https://www.youtube.com/watch?v=lASNUQ7M8gs
>
> On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello
> <lee at guardianproject.info <mailto:lee at guardianproject.info>>
> wrote:
>
> Weird. I'm using a Wheezy base install built via debootstrap on an
> Open Hosting container. It uses bash by default for the root user.
> Perhaps debootstrap or my platform build scripts override the
> default shell for root to be bash?
>
> Anyhoo, I think most people prefer Bash because it is very close to
> a real programming language. This shellshock shitstorm might be a
> setback for popular programming culture.
>
> -lee
>
> On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote:
>
>> That's for "Lenny users:". See this section:
>
>> Squeeze users:
>
>> * Dash is always installed. * /bin/sh is dash by default (even
>> for upgraded systems).
>
>> .hc
>
>> Lee Azzarello wrote:
>>> I'm confused. The article you linked is instructions to
>>> install dash and configure a base system to use it as default.
>>> Am I misunderstanding something?
>>>
>>> -lee
>>>
>>> On Thursday, September 25, 2014, Hans-Christoph Steiner <
>>> hans at guardianproject.info <mailto:hans at guardianproject.info>>
>>> wrote:
>>>
>>>>
>>>> dash is still the default /bin/sh, for speed and security,
>>>> but you can change that to bash if you want:
>>>> https://wiki.debian.org/DashAsBinSh
>>>>
>>>> Ubuntu also uses dash by default:
>>>> https://wiki.ubuntu.com/DashAsBinSh
>>>>
>>>> .hc
>>>>
>>>> Lee Azzarello wrote:
>>>>> This output is from a Debian stable base system built with
>>>>> debootstrap and no additional packages installed.
>>>>>
>>>>> root at debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 Jun
>>>>> 17 21:47 /bin/sh -> bash
>>>>>
>>>>> I don't think Debian has used Dash since Sarge.
>>>>>
>>>>> -lee
>>>>>
>>>>> On 9/25/14, 1:36 PM, Dev Random wrote:
>>>>>> This seems mitigated by the fact that /bin/sh is -> dash
>>>>>> on debian. So unless something does explicitly
>>>>>> #!/bin/bash, things should be okay.
>>>>>
>>>>>> BTW, there's a related vuln that's not fixed yet -
>>>>>> CVE-2014-7169
>>>>>> https://news.ycombinator.com/item?id=8365158
>>>>>
>>>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote:
>>>>>>> A remote code execution bug was found in the GNU Bash
>>>>>>> shell.
>>>>>>>
>>>>>>> http://seclists.org/oss-sec/2014/q3/650
>>>>>>>
>>>>>>> I tested it on Debian stable from two days ago and
>>>>>>> indeed, I could execute code after a function
>>>>>>> definition in an environment variable. A server I
>>>>>>> updated yesterday evening was not vulnerable, as the
>>>>>>> Debian team got a patch released quite fast.
>>>>>>>
>>>>>>> This effects any server you run any code on, though
>>>>>>> the remote code execution attack vector is unlikely for
>>>>>>> many contemporary application servers. Read the write
>>>>>>> up for details about a proof of concept.
>>>>>>>
>>>>>>> Good Morning!
>>>>>>>
>>>>>>> -lee _______________________________________________
>>>>>>> Guardian-dev mailing list
>>>>>>>
>>>>>>> Post: Guardian-dev at lists.mayfirst.org
> <mailto:Guardian-dev at lists.mayfirst.org> <javascript:;> List
>>>>>>> info:
>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>
>>>>>>>
>>>>>>>
To Unsubscribe Send email to:
>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
> <mailto:Guardian-dev-unsubscribe at lists.mayfirst.org>
>>>>>>> <javascript:;> Or visit:
>>>>>>>
>>>>
> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>
>
>
You are subscribed as: c1.android at niftybox.net
> <mailto:c1.android at niftybox.net> <javascript:;>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Guardian-dev mailing list
>>>>>
>>>>> Post: Guardian-dev at lists.mayfirst.org
> <mailto:Guardian-dev at lists.mayfirst.org> <javascript:;> List
>>>>> info:
>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>
>>>>> To Unsubscribe Send email to:
>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
> <mailto:Guardian-dev-unsubscribe at lists.mayfirst.org>
>>>> <javascript:;>
>>>>> Or visit:
>>>>
> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>>>>
>>>>>
>>>>
>
>
You are subscribed as: hans at guardianproject.info
> <mailto:hans at guardianproject.info> <javascript:;>
>>>>>
>>>>
>>>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587
>>>> 374B BE81 _______________________________________________
>>>> Guardian-dev mailing list
>>>>
>>>> Post: Guardian-dev at lists.mayfirst.org
> <mailto:Guardian-dev at lists.mayfirst.org> <javascript:;> List info:
>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>
>>>> To Unsubscribe Send email to:
>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
> <mailto:Guardian-dev-unsubscribe at lists.mayfirst.org> <javascript:;>
> Or
>>>> visit:
>>>>
> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info
>>>>
>>>>
>>>>
>
>
You are subscribed as: lee at guardianproject.info
> <mailto:lee at guardianproject.info> <javascript:;>
>>>>
>>>
>
>
> _______________________________________________ Guardian-dev
> mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> <mailto:Guardian-dev at lists.mayfirst.org> List info:
> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe Send email to:
> Guardian-dev-unsubscribe at lists.mayfirst.org
> <mailto:Guardian-dev-unsubscribe at lists.mayfirst.org> Or visit:
> https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com
>
> You are subscribed as: chrisballinger at gmail.com
> <mailto:chrisballinger at gmail.com>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUJnShAAoJEKhL9IoSyjdlr0MQAMN5VBh8wAdanPai4l15SMls
D+X0QBdOzXOWM1rhZes93p7ExVqBoNz7KGL9byoOluiEVg2dx3Kzq5tUJN+pdHeP
v/4J06y84EoPMozoAvpF9WSl4YszYOxKE66T11AwE/tMOK7hIOLUlDqxBRRh6n1R
5pEju7F/9e2L8xVoUrHb/DjfY5RpMhNRc565fvLuks92dxHEervk6uPkvCrXmmsE
36PvFQs0QK0uI5/dN6tr1sjMDPjcVVi5kyxyPclnk3J6LKuOYaM4f7+XfM2E/yOk
7JfoXctusg2BIz/URsepdrbhYGR9wHFIUiWpm9fQNLDSAmI/wnIanK3iufqHIDw7
0hSVzS+5Jw3882VpYhwDayALB8nMTDk/uyQCDrJtj6jatWYBctS5d+rhZ3vJZfb0
Gy3MHL8Sh+LcKmNiDs2MiNNdkdFO3qhYtTwz39Q/IY34e2ODl5DeUF1s27xK39vj
aiOTeNT0jtYOiCdAwVqw7bCueWOpbfowRzCDkDdUMereVeuR6jrRQfdH1oE4doeJ
yXvrBDlInHLXAEcaepH6l9oSymj67VyZKeThUf56iSrPyg6jFjEdRU1+cGieSWPJ
/ibURaG0m1rREWtMkjcTlW3P6uH8i2VWK7e14i/wZZqwI/tAqlxYWttQqthir7KR
1PGWLFILYSqjjtqh9+Fu
=k/DH
-----END PGP SIGNATURE-----
More information about the Guardian-dev
mailing list