[guardian-dev] Update your servers for real

Lee Azzarello lee at guardianproject.info
Sat Sep 27 04:26:09 EDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris, you rule thanks. This is the first peep about SIP security I
have /ever received from anyone at any time/. I'm checking the server
but I don't think I'm using that module. I don't have to execute shell
scripts for anything on the Kamailio layer in ostel.co. I also updated
the shell a few hours after the public announcement of the exploit so
it should be moot but the escalating panic is stronk.

- -lee

On 9/26/14, 1:02 PM, Chris Ballinger wrote:
> Saw this SIP server Shellshock scanner today: 
> https://github.com/zaf/sipshock
> 
>> The exec module in Kamailio, Opensips and propably every other
>> SER
> fork passes the received SIP headers as environment viarables to
> the invoking shell. This makes these SIP proxies vulnerable to
> CVE-2014-6271 (Bash Shellshock). If a proxy is using any of the
> exec funtions and has the 'setvars' parameter set to 1 (default)
> then by sending SIP message containing a specially crafted header
> we can run arbitrary code on the proxy machine.
> 
> Every time I read about the Shellshock vulnerability I get
> flashbacks to this SNES game:
> https://www.youtube.com/watch?v=lASNUQ7M8gs
> 
> On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello
> <lee at guardianproject.info <mailto:lee at guardianproject.info>>
> wrote:
> 
> Weird. I'm using a Wheezy base install built via debootstrap on an 
> Open Hosting container. It uses bash by default for the root user. 
> Perhaps debootstrap or my platform build scripts override the
> default shell for root to be bash?
> 
> Anyhoo, I think most people prefer Bash because it is very close to
> a real programming language. This shellshock shitstorm might be a 
> setback for popular programming culture.
> 
> -lee
> 
> On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote:
> 
>> That's for "Lenny users:".  See this section:
> 
>> Squeeze users:
> 
>> * Dash is always installed. * /bin/sh is dash by default (even
>> for upgraded systems).
> 
>> .hc
> 
>> Lee Azzarello wrote:
>>> I'm confused. The article you linked is instructions to
>>> install dash and configure a base system to use it as default.
>>> Am I misunderstanding something?
>>> 
>>> -lee
>>> 
>>> On Thursday, September 25, 2014, Hans-Christoph Steiner < 
>>> hans at guardianproject.info <mailto:hans at guardianproject.info>>
>>> wrote:
>>> 
>>>> 
>>>> dash is still the default /bin/sh, for speed and security,
>>>> but you can change that to bash if you want: 
>>>> https://wiki.debian.org/DashAsBinSh
>>>> 
>>>> Ubuntu also uses dash by default: 
>>>> https://wiki.ubuntu.com/DashAsBinSh
>>>> 
>>>> .hc
>>>> 
>>>> Lee Azzarello wrote:
>>>>> This output is from a Debian stable base system built with 
>>>>> debootstrap and no additional packages installed.
>>>>> 
>>>>> root at debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 Jun
>>>>> 17 21:47 /bin/sh -> bash
>>>>> 
>>>>> I don't think Debian has used Dash since Sarge.
>>>>> 
>>>>> -lee
>>>>> 
>>>>> On 9/25/14, 1:36 PM, Dev Random wrote:
>>>>>> This seems mitigated by the fact that /bin/sh is -> dash
>>>>>> on debian. So unless something does explicitly
>>>>>> #!/bin/bash, things should be okay.
>>>>> 
>>>>>> BTW, there's a related vuln that's not fixed yet - 
>>>>>> CVE-2014-7169
>>>>>> https://news.ycombinator.com/item?id=8365158
>>>>> 
>>>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote:
>>>>>>> A remote code execution bug was found in the GNU Bash 
>>>>>>> shell.
>>>>>>> 
>>>>>>> http://seclists.org/oss-sec/2014/q3/650
>>>>>>> 
>>>>>>> I tested it on Debian stable from two days ago and 
>>>>>>> indeed, I could execute code after a function
>>>>>>> definition in an environment variable. A server I
>>>>>>> updated yesterday evening was not vulnerable, as the
>>>>>>> Debian team got a patch released quite fast.
>>>>>>> 
>>>>>>> This effects any server you run any code on, though
>>>>>>> the remote code execution attack vector is unlikely for
>>>>>>> many contemporary application servers. Read the write
>>>>>>> up for details about a proof of concept.
>>>>>>> 
>>>>>>> Good Morning!
>>>>>>> 
>>>>>>> -lee _______________________________________________ 
>>>>>>> Guardian-dev mailing list
>>>>>>> 
>>>>>>> Post: Guardian-dev at lists.mayfirst.org
> <mailto:Guardian-dev at lists.mayfirst.org> <javascript:;> List
>>>>>>> info: 
>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>
>>>>>>>
>>>>>>> 
To Unsubscribe Send email to:
>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
> <mailto:Guardian-dev-unsubscribe at lists.mayfirst.org>
>>>>>>> <javascript:;> Or visit:
>>>>>>> 
>>>> 
> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>
>
> 
You are subscribed as: c1.android at niftybox.net
> <mailto:c1.android at niftybox.net> <javascript:;>
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Guardian-dev mailing list
>>>>> 
>>>>> Post: Guardian-dev at lists.mayfirst.org
> <mailto:Guardian-dev at lists.mayfirst.org> <javascript:;> List
>>>>> info: 
>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>> 
>>>>> To Unsubscribe Send email to: 
>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
> <mailto:Guardian-dev-unsubscribe at lists.mayfirst.org>
>>>> <javascript:;>
>>>>> Or visit:
>>>> 
> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>>>>
>>>>>
>>>>
>
> 
You are subscribed as: hans at guardianproject.info
> <mailto:hans at guardianproject.info> <javascript:;>
>>>>> 
>>>> 
>>>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 
>>>> 374B BE81 _______________________________________________ 
>>>> Guardian-dev mailing list
>>>> 
>>>> Post: Guardian-dev at lists.mayfirst.org
> <mailto:Guardian-dev at lists.mayfirst.org> <javascript:;> List info:
>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>> 
>>>> To Unsubscribe Send email to: 
>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
> <mailto:Guardian-dev-unsubscribe at lists.mayfirst.org> <javascript:;>
> Or
>>>> visit:
>>>> 
> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info
>>>>
>>>>
>>>>
>
> 
You are subscribed as: lee at guardianproject.info
> <mailto:lee at guardianproject.info> <javascript:;>
>>>> 
>>> 
> 
> 
> _______________________________________________ Guardian-dev
> mailing list
> 
> Post: Guardian-dev at lists.mayfirst.org 
> <mailto:Guardian-dev at lists.mayfirst.org> List info:
> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> 
> To Unsubscribe Send email to:
> Guardian-dev-unsubscribe at lists.mayfirst.org 
> <mailto:Guardian-dev-unsubscribe at lists.mayfirst.org> Or visit: 
> https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com
>
>  You are subscribed as: chrisballinger at gmail.com 
> <mailto:chrisballinger at gmail.com>
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUJnShAAoJEKhL9IoSyjdlr0MQAMN5VBh8wAdanPai4l15SMls
D+X0QBdOzXOWM1rhZes93p7ExVqBoNz7KGL9byoOluiEVg2dx3Kzq5tUJN+pdHeP
v/4J06y84EoPMozoAvpF9WSl4YszYOxKE66T11AwE/tMOK7hIOLUlDqxBRRh6n1R
5pEju7F/9e2L8xVoUrHb/DjfY5RpMhNRc565fvLuks92dxHEervk6uPkvCrXmmsE
36PvFQs0QK0uI5/dN6tr1sjMDPjcVVi5kyxyPclnk3J6LKuOYaM4f7+XfM2E/yOk
7JfoXctusg2BIz/URsepdrbhYGR9wHFIUiWpm9fQNLDSAmI/wnIanK3iufqHIDw7
0hSVzS+5Jw3882VpYhwDayALB8nMTDk/uyQCDrJtj6jatWYBctS5d+rhZ3vJZfb0
Gy3MHL8Sh+LcKmNiDs2MiNNdkdFO3qhYtTwz39Q/IY34e2ODl5DeUF1s27xK39vj
aiOTeNT0jtYOiCdAwVqw7bCueWOpbfowRzCDkDdUMereVeuR6jrRQfdH1oE4doeJ
yXvrBDlInHLXAEcaepH6l9oSymj67VyZKeThUf56iSrPyg6jFjEdRU1+cGieSWPJ
/ibURaG0m1rREWtMkjcTlW3P6uH8i2VWK7e14i/wZZqwI/tAqlxYWttQqthir7KR
1PGWLFILYSqjjtqh9+Fu
=k/DH
-----END PGP SIGNATURE-----

More information about the Guardian-dev mailing list