[guardian-dev] Update your servers for real

Lee Azzarello lee at guardianproject.info
Sat Sep 27 23:02:46 EDT 2014


I guess I've been too reactive due to the escalating panic all up on the
interwebs. There have been some randos on Twitter who have suggested
/removing bash/ as a solution. Which to me sounds hilarious since what
does pid 1 do when bash is gone?

I understand your point and I agree. Though I fear that the test
coverage for your recommendation is impossible in practice for existing
software. I can't ensure that replacing /bin/sh with something other
than Bash would not break random software that people run on boot.
There's a bunch of stuff in /etc/init.d that could possibly require
/bin/bash, right? I really don't know.

Anecdote: I had a short gig not too long ago to install some esoteric
enterprise database on Solaris 10 for some financial institution. The
default shell for Solaris 10 is...wait for it...

C shell!

*mind blown*

I never thought I would long for the luxury of bash.

-lee

On 9/27/14, 7:09 PM, Hans-Christoph Steiner wrote:
> 
> I don't know what you mean by "a solution".  bash is a nicer programming
> language than /bin/sh, and its easy to use bash in your scripts, just use
> #!/bin/bash.  bash makes a poor /bin/sh because it adds lots of stuff that has
> nothing to do with /bin/sh and makes it slower and much less secure, as we are
> seeing with these exploits.  dash makes a much better /bin/sh
> 
> .hc
> 
> Lee Azzarello wrote:
>> If I'm not mistaken, you just recommended not using bash as a
>> solution. is that correct?
>>
>> -lee
>>
>> On 9/26/14, 1:24 PM, Hans-Christoph Steiner wrote:
>>
>>> Another reason why bash should never be your /bin/sh.  For scripts
>>> that need bash, they can easily use the shebang #!/bin/bash.  dash
>>> provides a more secure, faster /bin/sh that is /bin/sh without
>>> unneeded extras.
>>
>>> .hc
>>
>>> Chris Ballinger wrote:
>>>> Saw this SIP server Shellshock scanner today: 
>>>> https://github.com/zaf/sipshock
>>>>
>>>>> The exec module in Kamailio, Opensips and propably every other
>>>>> SER fork
>>>> passes the received SIP headers as environment viarables to the
>>>> invoking shell. This makes these SIP proxies vulnerable to
>>>> CVE-2014-6271 (Bash Shellshock). If a proxy is using any of the
>>>> exec funtions and has the 'setvars' parameter set to 1 (default)
>>>> then by sending SIP message containing a specially crafted header
>>>> we can run arbitrary code on the proxy machine.
>>>>
>>>> Every time I read about the Shellshock vulnerability I get
>>>> flashbacks to this SNES game:
>>>> https://www.youtube.com/watch?v=lASNUQ7M8gs
>>>>
>>>> On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello
>>>> <lee at guardianproject.info> wrote:
>>>>
>>>> Weird. I'm using a Wheezy base install built via debootstrap on
>>>> an Open Hosting container. It uses bash by default for the root
>>>> user. Perhaps debootstrap or my platform build scripts override
>>>> the default shell for root to be bash?
>>>>
>>>> Anyhoo, I think most people prefer Bash because it is very close
>>>> to a real programming language. This shellshock shitstorm might
>>>> be a setback for popular programming culture.
>>>>
>>>> -lee
>>>>
>>>> On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote:
>>>>>>>
>>>>>>> That's for "Lenny users:".  See this section:
>>>>>>>
>>>>>>> Squeeze users:
>>>>>>>
>>>>>>> * Dash is always installed. * /bin/sh is dash by default
>>>>>>> (even for upgraded systems).
>>>>>>>
>>>>>>> .hc
>>>>>>>
>>>>>>> Lee Azzarello wrote:
>>>>>>>> I'm confused. The article you linked is instructions to
>>>>>>>> install dash and configure a base system to use it as
>>>>>>>> default. Am I misunderstanding something?
>>>>>>>>
>>>>>>>> -lee
>>>>>>>>
>>>>>>>> On Thursday, September 25, 2014, Hans-Christoph Steiner
>>>>>>>> < hans at guardianproject.info> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> dash is still the default /bin/sh, for speed and
>>>>>>>>> security, but you can change that to bash if you want: 
>>>>>>>>> https://wiki.debian.org/DashAsBinSh
>>>>>>>>>
>>>>>>>>> Ubuntu also uses dash by default: 
>>>>>>>>> https://wiki.ubuntu.com/DashAsBinSh
>>>>>>>>>
>>>>>>>>> .hc
>>>>>>>>>
>>>>>>>>> Lee Azzarello wrote:
>>>>>>>>>> This output is from a Debian stable base system built
>>>>>>>>>> with debootstrap and no additional packages
>>>>>>>>>> installed.
>>>>>>>>>>
>>>>>>>>>> root at debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4
>>>>>>>>>> Jun 17 21:47 /bin/sh -> bash
>>>>>>>>>>
>>>>>>>>>> I don't think Debian has used Dash since Sarge.
>>>>>>>>>>
>>>>>>>>>> -lee
>>>>>>>>>>
>>>>>>>>>> On 9/25/14, 1:36 PM, Dev Random wrote:
>>>>>>>>>>> This seems mitigated by the fact that /bin/sh is ->
>>>>>>>>>>> dash on debian. So unless something does explicitly
>>>>>>>>>>> #!/bin/bash, things should be okay.
>>>>>>>>>>
>>>>>>>>>>> BTW, there's a related vuln that's not fixed yet - 
>>>>>>>>>>> CVE-2014-7169
>>>>>>>>>>> https://news.ycombinator.com/item?id=8365158
>>>>>>>>>>
>>>>>>>>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello
>>>>>>>>>>> wrote:
>>>>>>>>>>>> A remote code execution bug was found in the GNU
>>>>>>>>>>>> Bash shell.
>>>>>>>>>>>>
>>>>>>>>>>>> http://seclists.org/oss-sec/2014/q3/650
>>>>>>>>>>>>
>>>>>>>>>>>> I tested it on Debian stable from two days ago
>>>>>>>>>>>> and indeed, I could execute code after a function
>>>>>>>>>>>> definition in an environment variable. A server I
>>>>>>>>>>>> updated yesterday evening was not vulnerable, as
>>>>>>>>>>>> the Debian team got a patch released quite fast.
>>>>>>>>>>>>
>>>>>>>>>>>> This effects any server you run any code on,
>>>>>>>>>>>> though the remote code execution attack vector is
>>>>>>>>>>>> unlikely for many contemporary application
>>>>>>>>>>>> servers. Read the write up for details about a
>>>>>>>>>>>> proof of concept.
>>>>>>>>>>>>
>>>>>>>>>>>> Good Morning!
>>>>>>>>>>>>
>>>>>>>>>>>> -lee
>>>>>>>>>>>> _______________________________________________ 
>>>>>>>>>>>> Guardian-dev mailing list
>>>>>>>>>>>>
>>>>>>>>>>>> Post: Guardian-dev at lists.mayfirst.org
>>>>>>>>>>>> <javascript:;> List info: 
>>>>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>> To Unsubscribe Send email to:
>>>>>>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org 
>>>>>>>>>>>> <javascript:;> Or visit:
>>>>>>>>>>>>
>>>>>>>>>
>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>
>>>>
>> You are subscribed as: c1.android at niftybox.net <javascript:;>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Guardian-dev mailing list
>>>>>>>>>>
>>>>>>>>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;>
>>>>>>>>>> List info: 
>>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>> To Unsubscribe Send email to:
>>>>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
>>>>>>>>> <javascript:;>
>>>>>>>>>> Or visit:
>>>>>>>>>
>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>
>>>>
>> You are subscribed as: hans at guardianproject.info <javascript:;>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F
>>>>>>>>> E587 374B BE81
>>>>>>>>> _______________________________________________ 
>>>>>>>>> Guardian-dev mailing list
>>>>>>>>>
>>>>>>>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;>
>>>>>>>>> List info: 
>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>> To Unsubscribe Send email to:
>>>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
>>>>>>>>> <javascript:;> Or visit:
>>>>>>>>>
>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>
>>>>
>> You are subscribed as: lee at guardianproject.info <javascript:;>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>
>>>>> _______________________________________________ Guardian-dev
>>>>> mailing list
>>>>>
>>>>> Post: Guardian-dev at lists.mayfirst.org List info:
>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>
>>>>> To Unsubscribe Send email to:
>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org Or visit: 
>>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com
>>>>>
>>>>>
>>>>>
>> You are subscribed as: chrisballinger at gmail.com
>>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________ Guardian-dev
>>>> mailing list
>>>>
>>>> Post: Guardian-dev at lists.mayfirst.org List info:
>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>
>>>> To Unsubscribe Send email to:
>>>> Guardian-dev-unsubscribe at lists.mayfirst.org Or visit:
>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>>>
>>>>
>>>>
>> You are subscribed as: hans at guardianproject.info
>>>>
>>
>>
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>
>> You are subscribed as: hans at guardianproject.info
>>
> 
> 
> 
> _______________________________________________
> Guardian-dev mailing list
> 
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> 
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info
> 
> You are subscribed as: lee at guardianproject.info
> 



More information about the Guardian-dev mailing list