[guardian-dev] Update your servers for real

David Holl david at ad5ey.net
Sat Sep 27 08:12:20 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I got tired of the hype.  How's the following code for a mitigation, at
least until bash is officially fixed?

The code is at http://ad5ey.net/bash_shock_fix.c
And sig is at http://ad5ey.net/bash_shock_fix.c.asc

Simple usage:

cd /bin
gcc -std=c11 -Wall -Wextra bash_shock_fix.c -o bash_shock_fix
mv bash bash.real
ln -s bash_shock_fix bash

phoenix(pts/1):~bin# ls -al bash*
lrwxrwxrwx 1 root root      14 Sep 27 00:23 bash -> bash_shock_fix
- -rwxr-xr-x 1 root root 1029624 Sep 24 14:51 bash.real
- -rwxr-xr-x 1 root root    9555 Sep 27 00:23 bash_shock_fix
- -rw-r--r-- 1 root root    2990 Sep 27 00:23 bash_shock_fix.c
phoenix(pts/1):~bin#

Basically, if some program does invoke /bin/bash, control first passes
to bash_shock_fix which truncates suspicious environment variables.
(and it dumps messages to the system log if/when it finds anything...)

The check should match for any variety of white space:

=(){
=() {
= ( ) {

etc...  but feel free to update it for whatever other stupid things bash
allows.

- - David


On 9/27/14, 4:26 AM, Lee Azzarello wrote:
| Chris, you rule thanks. This is the first peep about SIP security I
| have /ever received from anyone at any time/. I'm checking the server
| but I don't think I'm using that module. I don't have to execute shell
| scripts for anything on the Kamailio layer in ostel.co. I also updated
| the shell a few hours after the public announcement of the exploit so
| it should be moot but the escalating panic is stronk.
|
| -lee
|
| On 9/26/14, 1:02 PM, Chris Ballinger wrote:
|> Saw this SIP server Shellshock scanner today:
|> https://github.com/zaf/sipshock
|
|>> The exec module in Kamailio, Opensips and propably every other
|>> SER
|> fork passes the received SIP headers as environment viarables to
|> the invoking shell. This makes these SIP proxies vulnerable to
|> CVE-2014-6271 (Bash Shellshock). If a proxy is using any of the
|> exec funtions and has the 'setvars' parameter set to 1 (default)
|> then by sending SIP message containing a specially crafted header
|> we can run arbitrary code on the proxy machine.
|
|> Every time I read about the Shellshock vulnerability I get
|> flashbacks to this SNES game:
|> https://www.youtube.com/watch?v=lASNUQ7M8gs
|
|> On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello
|> <lee at guardianproject.info <mailto:lee at guardianproject.info>>
|> wrote:
|
|> Weird. I'm using a Wheezy base install built via debootstrap on an
|> Open Hosting container. It uses bash by default for the root user.
|> Perhaps debootstrap or my platform build scripts override the
|> default shell for root to be bash?
|
|> Anyhoo, I think most people prefer Bash because it is very close to
|> a real programming language. This shellshock shitstorm might be a
|> setback for popular programming culture.
|
|> -lee
|
|> On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote:
|
|>> That's for "Lenny users:".  See this section:
|
|>> Squeeze users:
|
|>> * Dash is always installed. * /bin/sh is dash by default (even
|>> for upgraded systems).
|
|>> .hc
|
|>> Lee Azzarello wrote:
|>>> I'm confused. The article you linked is instructions to
|>>> install dash and configure a base system to use it as default.
|>>> Am I misunderstanding something?
|>>>
|>>> -lee
|>>>
|>>> On Thursday, September 25, 2014, Hans-Christoph Steiner <
|>>> hans at guardianproject.info <mailto:hans at guardianproject.info>>
|>>> wrote:
|>>>
|>>>>
|>>>> dash is still the default /bin/sh, for speed and security,
|>>>> but you can change that to bash if you want:
|>>>> https://wiki.debian.org/DashAsBinSh
|>>>>
|>>>> Ubuntu also uses dash by default:
|>>>> https://wiki.ubuntu.com/DashAsBinSh
|>>>>
|>>>> .hc
|>>>>
|>>>> Lee Azzarello wrote:
|>>>>> This output is from a Debian stable base system built with
|>>>>> debootstrap and no additional packages installed.
|>>>>>
|>>>>> root at debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 Jun
|>>>>> 17 21:47 /bin/sh -> bash
|>>>>>
|>>>>> I don't think Debian has used Dash since Sarge.
|>>>>>
|>>>>> -lee
|>>>>>
|>>>>> On 9/25/14, 1:36 PM, Dev Random wrote:
|>>>>>> This seems mitigated by the fact that /bin/sh is -> dash
|>>>>>> on debian. So unless something does explicitly
|>>>>>> #!/bin/bash, things should be okay.
|>>>>>
|>>>>>> BTW, there's a related vuln that's not fixed yet -
|>>>>>> CVE-2014-7169
|>>>>>> https://news.ycombinator.com/item?id=8365158
|>>>>>
|>>>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote:
|>>>>>>> A remote code execution bug was found in the GNU Bash
|>>>>>>> shell.
|>>>>>>>
|>>>>>>> http://seclists.org/oss-sec/2014/q3/650
|>>>>>>>
|>>>>>>> I tested it on Debian stable from two days ago and
|>>>>>>> indeed, I could execute code after a function
|>>>>>>> definition in an environment variable. A server I
|>>>>>>> updated yesterday evening was not vulnerable, as the
|>>>>>>> Debian team got a patch released quite fast.
|>>>>>>>
|>>>>>>> This effects any server you run any code on, though
|>>>>>>> the remote code execution attack vector is unlikely for
|>>>>>>> many contemporary application servers. Read the write
|>>>>>>> up for details about a proof of concept.
|>>>>>>>
|>>>>>>> Good Morning!
|>>>>>>>
|>>>>>>> -lee _______________________________________________
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUJqmYAAoJEOlCEloZIuIhmI8P/1wXQLrpHD35cmxYljWHcJGw
IazrRqHJ+Hnkk8iEyqgLWPbQ8nqd6SoJ5tN3WCHGLOsQZBg4aZEbm5bLk0LYqtMM
ooNuD9n3pWYh7+P47EzfbgSQHw2Lj3dpeL59nwUUaQXirec2KWBDboHaTqFoLsGQ
UXZfsypxIjR7bvF902blzBaNQ7UiPKo1LHw6ICMumm7Gh+NbBCWDdiNp9nQnvEWA
Ia2cpGLll77ZX27GQbpSnoyXpLjZ8oQEXAWODPHQ2W71KzzYY/T+dzRFLlddgH7L
bVKB41xwEvu5CtVjuNpVPrhTtLffIU5TNh8Jz0V73Z9gJ5Rm4xm1xrxK+nqi/LLE
+UHyuJ7acIkJ1XEXaaimG5VuHTUcHIR8CUBxuw9oFCztJP+vZCnkNWWniu/hrE0t
SOlqwaB2Dt/0FeQTHZ1auOJfgQJGRqsMBmgxwoYKTg411DvR/upqU398tl4fkgyk
7psCU9FaPsujpZJnnmkTc8fWke/rEtgw+j8G+NXGN231KnPCczblcNcBlFAfxhRi
8s5lIOVVh0UVu1d04lsvlDjtwj1sJnT2Yn0B9wNgQGZwbWvAqXD6/5D01ajlcNAa
wQFc/EZuuh996wZL4dxITzbWfROOmFm9qQxTNi2ZOkNiziryxAroz6O/MsgafXzW
H44g7ODPVanwupLXaXFk
=SV+t
-----END PGP SIGNATURE-----


More information about the Guardian-dev mailing list