[guardian-dev] Update your servers for real

Lee Azzarello lee at guardianproject.info
Sat Sep 27 04:32:56 EDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If I'm not mistaken, you just recommended not using bash as a
solution. is that correct?

- -lee

On 9/26/14, 1:24 PM, Hans-Christoph Steiner wrote:
> 
> Another reason why bash should never be your /bin/sh.  For scripts
> that need bash, they can easily use the shebang #!/bin/bash.  dash
> provides a more secure, faster /bin/sh that is /bin/sh without
> unneeded extras.
> 
> .hc
> 
> Chris Ballinger wrote:
>> Saw this SIP server Shellshock scanner today: 
>> https://github.com/zaf/sipshock
>> 
>>> The exec module in Kamailio, Opensips and propably every other
>>> SER fork
>> passes the received SIP headers as environment viarables to the
>> invoking shell. This makes these SIP proxies vulnerable to
>> CVE-2014-6271 (Bash Shellshock). If a proxy is using any of the
>> exec funtions and has the 'setvars' parameter set to 1 (default)
>> then by sending SIP message containing a specially crafted header
>> we can run arbitrary code on the proxy machine.
>> 
>> Every time I read about the Shellshock vulnerability I get
>> flashbacks to this SNES game:
>> https://www.youtube.com/watch?v=lASNUQ7M8gs
>> 
>> On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello
>> <lee at guardianproject.info> wrote:
>> 
>> Weird. I'm using a Wheezy base install built via debootstrap on
>> an Open Hosting container. It uses bash by default for the root
>> user. Perhaps debootstrap or my platform build scripts override
>> the default shell for root to be bash?
>> 
>> Anyhoo, I think most people prefer Bash because it is very close
>> to a real programming language. This shellshock shitstorm might
>> be a setback for popular programming culture.
>> 
>> -lee
>> 
>> On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote:
>>>>> 
>>>>> That's for "Lenny users:".  See this section:
>>>>> 
>>>>> Squeeze users:
>>>>> 
>>>>> * Dash is always installed. * /bin/sh is dash by default
>>>>> (even for upgraded systems).
>>>>> 
>>>>> .hc
>>>>> 
>>>>> Lee Azzarello wrote:
>>>>>> I'm confused. The article you linked is instructions to
>>>>>> install dash and configure a base system to use it as
>>>>>> default. Am I misunderstanding something?
>>>>>> 
>>>>>> -lee
>>>>>> 
>>>>>> On Thursday, September 25, 2014, Hans-Christoph Steiner
>>>>>> < hans at guardianproject.info> wrote:
>>>>>> 
>>>>>>> 
>>>>>>> dash is still the default /bin/sh, for speed and
>>>>>>> security, but you can change that to bash if you want: 
>>>>>>> https://wiki.debian.org/DashAsBinSh
>>>>>>> 
>>>>>>> Ubuntu also uses dash by default: 
>>>>>>> https://wiki.ubuntu.com/DashAsBinSh
>>>>>>> 
>>>>>>> .hc
>>>>>>> 
>>>>>>> Lee Azzarello wrote:
>>>>>>>> This output is from a Debian stable base system built
>>>>>>>> with debootstrap and no additional packages
>>>>>>>> installed.
>>>>>>>> 
>>>>>>>> root at debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4
>>>>>>>> Jun 17 21:47 /bin/sh -> bash
>>>>>>>> 
>>>>>>>> I don't think Debian has used Dash since Sarge.
>>>>>>>> 
>>>>>>>> -lee
>>>>>>>> 
>>>>>>>> On 9/25/14, 1:36 PM, Dev Random wrote:
>>>>>>>>> This seems mitigated by the fact that /bin/sh is ->
>>>>>>>>> dash on debian. So unless something does explicitly
>>>>>>>>> #!/bin/bash, things should be okay.
>>>>>>>> 
>>>>>>>>> BTW, there's a related vuln that's not fixed yet - 
>>>>>>>>> CVE-2014-7169
>>>>>>>>> https://news.ycombinator.com/item?id=8365158
>>>>>>>> 
>>>>>>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello
>>>>>>>>> wrote:
>>>>>>>>>> A remote code execution bug was found in the GNU
>>>>>>>>>> Bash shell.
>>>>>>>>>> 
>>>>>>>>>> http://seclists.org/oss-sec/2014/q3/650
>>>>>>>>>> 
>>>>>>>>>> I tested it on Debian stable from two days ago
>>>>>>>>>> and indeed, I could execute code after a function
>>>>>>>>>> definition in an environment variable. A server I
>>>>>>>>>> updated yesterday evening was not vulnerable, as
>>>>>>>>>> the Debian team got a patch released quite fast.
>>>>>>>>>> 
>>>>>>>>>> This effects any server you run any code on,
>>>>>>>>>> though the remote code execution attack vector is
>>>>>>>>>> unlikely for many contemporary application
>>>>>>>>>> servers. Read the write up for details about a
>>>>>>>>>> proof of concept.
>>>>>>>>>> 
>>>>>>>>>> Good Morning!
>>>>>>>>>> 
>>>>>>>>>> -lee
>>>>>>>>>> _______________________________________________ 
>>>>>>>>>> Guardian-dev mailing list
>>>>>>>>>> 
>>>>>>>>>> Post: Guardian-dev at lists.mayfirst.org
>>>>>>>>>> <javascript:;> List info: 
>>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 
To Unsubscribe Send email to:
>>>>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org 
>>>>>>>>>> <javascript:;> Or visit:
>>>>>>>>>> 
>>>>>>> 
>> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>
>>
>> 
You are subscribed as: c1.android at niftybox.net <javascript:;>
>>>>>>>> 
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> Guardian-dev mailing list
>>>>>>>> 
>>>>>>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;>
>>>>>>>> List info: 
>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>>
>>>>>>>>
>>>>>>>> 
To Unsubscribe Send email to:
>>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
>>>>>>> <javascript:;>
>>>>>>>> Or visit:
>>>>>>> 
>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>>>>>>>
>>>>>>>>
>>>>>>>
>>
>> 
You are subscribed as: hans at guardianproject.info <javascript:;>
>>>>>>>> 
>>>>>>> 
>>>>>>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F
>>>>>>> E587 374B BE81
>>>>>>> _______________________________________________ 
>>>>>>> Guardian-dev mailing list
>>>>>>> 
>>>>>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;>
>>>>>>> List info: 
>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>
>>>>>>>
>>>>>>> 
To Unsubscribe Send email to:
>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
>>>>>>> <javascript:;> Or visit:
>>>>>>> 
>> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info
>>>>>>>
>>>>>>>
>>>>>>>
>>
>> 
You are subscribed as: lee at guardianproject.info <javascript:;>
>>>>>>> 
>>>>>> 
>>>>> 
>> 
>>> _______________________________________________ Guardian-dev
>>> mailing list
>>> 
>>> Post: Guardian-dev at lists.mayfirst.org List info:
>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>> 
>>> To Unsubscribe Send email to:
>>> Guardian-dev-unsubscribe at lists.mayfirst.org Or visit: 
>>> https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com
>>>
>>>
>>> 
You are subscribed as: chrisballinger at gmail.com
>>> 
>> 
>> 
>> 
>> _______________________________________________ Guardian-dev
>> mailing list
>> 
>> Post: Guardian-dev at lists.mayfirst.org List info:
>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>> 
>> To Unsubscribe Send email to:
>> Guardian-dev-unsubscribe at lists.mayfirst.org Or visit:
>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>
>>
>> 
You are subscribed as: hans at guardianproject.info
>> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUJnY4AAoJEKhL9IoSyjdl+mMQAJYmcEH2ysYYEqhdQbffi5P+
kQfCyX/tYQzqhIS6/uenezTq2EkgMbCIKWvkZeFwBjPKyNsXhpyRjnXdGP0yCwQq
27hPNSWHuXELzUe41Fee7DjO1CBFPwo6kx957ua/6sep2eJToJsNTvxyJVbs6+JR
bQA7YT3ppVF2jL869zcaqeCGe39OdvbIB8o44w/Lb5/HX0ngxmML8dzwQoxZ5g1p
C2Q6sSiTknOuOxldOg/baT7Y8MHIAdll+2VMXbKjIexlyljeBCtfVF6PkI4dE717
zVgtPpHm5GsX9sXUaAk38l242NpU6yN9ZIBv0c728QSuKE6CrMeVgyB/8oT6MqDl
uNEIALnv1Q0b5qrdDUy4Tz3pL0oHrVseTfAbqRoLFwgIvwBIJPuTm3ev12XFVMGo
P5ilnRpju0/XmxW3QxAcfBll6zIqeiO+WxDNUitO4I/1MMHPrvkiOMdQxJeAlaXD
fC0nCj7WV7blG1uWCS84V0sziWOKqmDUvRbm2GT+NgfBSYKMzeiFOKzFlNhLxnSZ
aaYAVZ/+9i5fdLUW3/IPUCmE534zNhDbO3nwaAAY9/O2gl5MQ6je3gWkdsLCFgJD
vO+ZVesSWNh6UvCklxj4IiQrufAZmOjb+j5Q+nZdU8ZSLSElXSxcDtal3ATPEoBf
JYlLFGX/+/JE4HOWBqDM
=k1d6
-----END PGP SIGNATURE-----

More information about the Guardian-dev mailing list