[guardian-dev] Update your servers for real

Hans-Christoph Steiner hans at guardianproject.info
Sat Sep 27 19:09:46 EDT 2014 

I don't know what you mean by "a solution".  bash is a nicer programming
language than /bin/sh, and its easy to use bash in your scripts, just use
#!/bin/bash.  bash makes a poor /bin/sh because it adds lots of stuff that has
nothing to do with /bin/sh and makes it slower and much less secure, as we are
seeing with these exploits.  dash makes a much better /bin/sh

.hc

Lee Azzarello wrote:
> If I'm not mistaken, you just recommended not using bash as a
> solution. is that correct?
> 
> -lee
> 
> On 9/26/14, 1:24 PM, Hans-Christoph Steiner wrote:
> 
>> Another reason why bash should never be your /bin/sh.  For scripts
>> that need bash, they can easily use the shebang #!/bin/bash.  dash
>> provides a more secure, faster /bin/sh that is /bin/sh without
>> unneeded extras.
> 
>> .hc
> 
>> Chris Ballinger wrote:
>>> Saw this SIP server Shellshock scanner today: 
>>> https://github.com/zaf/sipshock
>>>
>>>> The exec module in Kamailio, Opensips and propably every other
>>>> SER fork
>>> passes the received SIP headers as environment viarables to the
>>> invoking shell. This makes these SIP proxies vulnerable to
>>> CVE-2014-6271 (Bash Shellshock). If a proxy is using any of the
>>> exec funtions and has the 'setvars' parameter set to 1 (default)
>>> then by sending SIP message containing a specially crafted header
>>> we can run arbitrary code on the proxy machine.
>>>
>>> Every time I read about the Shellshock vulnerability I get
>>> flashbacks to this SNES game:
>>> https://www.youtube.com/watch?v=lASNUQ7M8gs
>>>
>>> On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello
>>> <lee at guardianproject.info> wrote:
>>>
>>> Weird. I'm using a Wheezy base install built via debootstrap on
>>> an Open Hosting container. It uses bash by default for the root
>>> user. Perhaps debootstrap or my platform build scripts override
>>> the default shell for root to be bash?
>>>
>>> Anyhoo, I think most people prefer Bash because it is very close
>>> to a real programming language. This shellshock shitstorm might
>>> be a setback for popular programming culture.
>>>
>>> -lee
>>>
>>> On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote:
>>>>>>
>>>>>> That's for "Lenny users:".  See this section:
>>>>>>
>>>>>> Squeeze users:
>>>>>>
>>>>>> * Dash is always installed. * /bin/sh is dash by default
>>>>>> (even for upgraded systems).
>>>>>>
>>>>>> .hc
>>>>>>
>>>>>> Lee Azzarello wrote:
>>>>>>> I'm confused. The article you linked is instructions to
>>>>>>> install dash and configure a base system to use it as
>>>>>>> default. Am I misunderstanding something?
>>>>>>>
>>>>>>> -lee
>>>>>>>
>>>>>>> On Thursday, September 25, 2014, Hans-Christoph Steiner
>>>>>>> < hans at guardianproject.info> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> dash is still the default /bin/sh, for speed and
>>>>>>>> security, but you can change that to bash if you want: 
>>>>>>>> https://wiki.debian.org/DashAsBinSh
>>>>>>>>
>>>>>>>> Ubuntu also uses dash by default: 
>>>>>>>> https://wiki.ubuntu.com/DashAsBinSh
>>>>>>>>
>>>>>>>> .hc
>>>>>>>>
>>>>>>>> Lee Azzarello wrote:
>>>>>>>>> This output is from a Debian stable base system built
>>>>>>>>> with debootstrap and no additional packages
>>>>>>>>> installed.
>>>>>>>>>
>>>>>>>>> root at debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4
>>>>>>>>> Jun 17 21:47 /bin/sh -> bash
>>>>>>>>>
>>>>>>>>> I don't think Debian has used Dash since Sarge.
>>>>>>>>>
>>>>>>>>> -lee
>>>>>>>>>
>>>>>>>>> On 9/25/14, 1:36 PM, Dev Random wrote:
>>>>>>>>>> This seems mitigated by the fact that /bin/sh is ->
>>>>>>>>>> dash on debian. So unless something does explicitly
>>>>>>>>>> #!/bin/bash, things should be okay.
>>>>>>>>>
>>>>>>>>>> BTW, there's a related vuln that's not fixed yet - 
>>>>>>>>>> CVE-2014-7169
>>>>>>>>>> https://news.ycombinator.com/item?id=8365158
>>>>>>>>>
>>>>>>>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello
>>>>>>>>>> wrote:
>>>>>>>>>>> A remote code execution bug was found in the GNU
>>>>>>>>>>> Bash shell.
>>>>>>>>>>>
>>>>>>>>>>> http://seclists.org/oss-sec/2014/q3/650
>>>>>>>>>>>
>>>>>>>>>>> I tested it on Debian stable from two days ago
>>>>>>>>>>> and indeed, I could execute code after a function
>>>>>>>>>>> definition in an environment variable. A server I
>>>>>>>>>>> updated yesterday evening was not vulnerable, as
>>>>>>>>>>> the Debian team got a patch released quite fast.
>>>>>>>>>>>
>>>>>>>>>>> This effects any server you run any code on,
>>>>>>>>>>> though the remote code execution attack vector is
>>>>>>>>>>> unlikely for many contemporary application
>>>>>>>>>>> servers. Read the write up for details about a
>>>>>>>>>>> proof of concept.
>>>>>>>>>>>
>>>>>>>>>>> Good Morning!
>>>>>>>>>>>
>>>>>>>>>>> -lee
>>>>>>>>>>> _______________________________________________ 
>>>>>>>>>>> Guardian-dev mailing list
>>>>>>>>>>>
>>>>>>>>>>> Post: Guardian-dev at lists.mayfirst.org
>>>>>>>>>>> <javascript:;> List info: 
>>>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
> To Unsubscribe Send email to:
>>>>>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org 
>>>>>>>>>>> <javascript:;> Or visit:
>>>>>>>>>>>
>>>>>>>>
>>> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>
>>>
> You are subscribed as: c1.android at niftybox.net <javascript:;>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Guardian-dev mailing list
>>>>>>>>>
>>>>>>>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;>
>>>>>>>>> List info: 
>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
> To Unsubscribe Send email to:
>>>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
>>>>>>>> <javascript:;>
>>>>>>>>> Or visit:
>>>>>>>>
>>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>
>>>
> You are subscribed as: hans at guardianproject.info <javascript:;>
>>>>>>>>>
>>>>>>>>
>>>>>>>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F
>>>>>>>> E587 374B BE81
>>>>>>>> _______________________________________________ 
>>>>>>>> Guardian-dev mailing list
>>>>>>>>
>>>>>>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;>
>>>>>>>> List info: 
>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>>
>>>>>>>>
>>>>>>>>
> To Unsubscribe Send email to:
>>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
>>>>>>>> <javascript:;> Or visit:
>>>>>>>>
>>> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>
>>>
> You are subscribed as: lee at guardianproject.info <javascript:;>
>>>>>>>>
>>>>>>>
>>>>>>
>>>
>>>> _______________________________________________ Guardian-dev
>>>> mailing list
>>>>
>>>> Post: Guardian-dev at lists.mayfirst.org List info:
>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>
>>>> To Unsubscribe Send email to:
>>>> Guardian-dev-unsubscribe at lists.mayfirst.org Or visit: 
>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com
>>>>
>>>>
>>>>
> You are subscribed as: chrisballinger at gmail.com
>>>>
>>>
>>>
>>>
>>> _______________________________________________ Guardian-dev
>>> mailing list
>>>
>>> Post: Guardian-dev at lists.mayfirst.org List info:
>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>
>>> To Unsubscribe Send email to:
>>> Guardian-dev-unsubscribe at lists.mayfirst.org Or visit:
>>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>>
>>>
>>>
> You are subscribed as: hans at guardianproject.info
>>>
> 
> 
> _______________________________________________
> Guardian-dev mailing list
> 
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> 
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
> 
> You are subscribed as: hans at guardianproject.info
> 

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140927/07f1213e/attachment.sig>

More information about the Guardian-dev mailing list