[guardian-dev] Update your servers for real
Hans-Christoph Steiner
hans at guardianproject.info
Sun Sep 28 00:44:34 EDT 2014
Both Debian and Ubuntu have shipped with dash as /bin/sh for many years, so if
you're using packages from those repos, you should be fine. Can't help you
with Solaris ;-)
.hc
Lee Azzarello wrote:
> I guess I've been too reactive due to the escalating panic all up on the
> interwebs. There have been some randos on Twitter who have suggested
> /removing bash/ as a solution. Which to me sounds hilarious since what
> does pid 1 do when bash is gone?
>
> I understand your point and I agree. Though I fear that the test
> coverage for your recommendation is impossible in practice for existing
> software. I can't ensure that replacing /bin/sh with something other
> than Bash would not break random software that people run on boot.
> There's a bunch of stuff in /etc/init.d that could possibly require
> /bin/bash, right? I really don't know.
>
> Anecdote: I had a short gig not too long ago to install some esoteric
> enterprise database on Solaris 10 for some financial institution. The
> default shell for Solaris 10 is...wait for it...
>
> C shell!
>
> *mind blown*
>
> I never thought I would long for the luxury of bash.
>
> -lee
>
> On 9/27/14, 7:09 PM, Hans-Christoph Steiner wrote:
>>
>> I don't know what you mean by "a solution". bash is a nicer programming
>> language than /bin/sh, and its easy to use bash in your scripts, just use
>> #!/bin/bash. bash makes a poor /bin/sh because it adds lots of stuff that has
>> nothing to do with /bin/sh and makes it slower and much less secure, as we are
>> seeing with these exploits. dash makes a much better /bin/sh
>>
>> .hc
>>
>> Lee Azzarello wrote:
>>> If I'm not mistaken, you just recommended not using bash as a
>>> solution. is that correct?
>>>
>>> -lee
>>>
>>> On 9/26/14, 1:24 PM, Hans-Christoph Steiner wrote:
>>>
>>>> Another reason why bash should never be your /bin/sh. For scripts
>>>> that need bash, they can easily use the shebang #!/bin/bash. dash
>>>> provides a more secure, faster /bin/sh that is /bin/sh without
>>>> unneeded extras.
>>>
>>>> .hc
>>>
>>>> Chris Ballinger wrote:
>>>>> Saw this SIP server Shellshock scanner today:
>>>>> https://github.com/zaf/sipshock
>>>>>
>>>>>> The exec module in Kamailio, Opensips and propably every other
>>>>>> SER fork
>>>>> passes the received SIP headers as environment viarables to the
>>>>> invoking shell. This makes these SIP proxies vulnerable to
>>>>> CVE-2014-6271 (Bash Shellshock). If a proxy is using any of the
>>>>> exec funtions and has the 'setvars' parameter set to 1 (default)
>>>>> then by sending SIP message containing a specially crafted header
>>>>> we can run arbitrary code on the proxy machine.
>>>>>
>>>>> Every time I read about the Shellshock vulnerability I get
>>>>> flashbacks to this SNES game:
>>>>> https://www.youtube.com/watch?v=lASNUQ7M8gs
>>>>>
>>>>> On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello
>>>>> <lee at guardianproject.info> wrote:
>>>>>
>>>>> Weird. I'm using a Wheezy base install built via debootstrap on
>>>>> an Open Hosting container. It uses bash by default for the root
>>>>> user. Perhaps debootstrap or my platform build scripts override
>>>>> the default shell for root to be bash?
>>>>>
>>>>> Anyhoo, I think most people prefer Bash because it is very close
>>>>> to a real programming language. This shellshock shitstorm might
>>>>> be a setback for popular programming culture.
>>>>>
>>>>> -lee
>>>>>
>>>>> On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote:
>>>>>>>>
>>>>>>>> That's for "Lenny users:". See this section:
>>>>>>>>
>>>>>>>> Squeeze users:
>>>>>>>>
>>>>>>>> * Dash is always installed. * /bin/sh is dash by default
>>>>>>>> (even for upgraded systems).
>>>>>>>>
>>>>>>>> .hc
>>>>>>>>
>>>>>>>> Lee Azzarello wrote:
>>>>>>>>> I'm confused. The article you linked is instructions to
>>>>>>>>> install dash and configure a base system to use it as
>>>>>>>>> default. Am I misunderstanding something?
>>>>>>>>>
>>>>>>>>> -lee
>>>>>>>>>
>>>>>>>>> On Thursday, September 25, 2014, Hans-Christoph Steiner
>>>>>>>>> < hans at guardianproject.info> wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> dash is still the default /bin/sh, for speed and
>>>>>>>>>> security, but you can change that to bash if you want:
>>>>>>>>>> https://wiki.debian.org/DashAsBinSh
>>>>>>>>>>
>>>>>>>>>> Ubuntu also uses dash by default:
>>>>>>>>>> https://wiki.ubuntu.com/DashAsBinSh
>>>>>>>>>>
>>>>>>>>>> .hc
>>>>>>>>>>
>>>>>>>>>> Lee Azzarello wrote:
>>>>>>>>>>> This output is from a Debian stable base system built
>>>>>>>>>>> with debootstrap and no additional packages
>>>>>>>>>>> installed.
>>>>>>>>>>>
>>>>>>>>>>> root at debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4
>>>>>>>>>>> Jun 17 21:47 /bin/sh -> bash
>>>>>>>>>>>
>>>>>>>>>>> I don't think Debian has used Dash since Sarge.
>>>>>>>>>>>
>>>>>>>>>>> -lee
>>>>>>>>>>>
>>>>>>>>>>> On 9/25/14, 1:36 PM, Dev Random wrote:
>>>>>>>>>>>> This seems mitigated by the fact that /bin/sh is ->
>>>>>>>>>>>> dash on debian. So unless something does explicitly
>>>>>>>>>>>> #!/bin/bash, things should be okay.
>>>>>>>>>>>
>>>>>>>>>>>> BTW, there's a related vuln that's not fixed yet -
>>>>>>>>>>>> CVE-2014-7169
>>>>>>>>>>>> https://news.ycombinator.com/item?id=8365158
>>>>>>>>>>>
>>>>>>>>>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>> A remote code execution bug was found in the GNU
>>>>>>>>>>>>> Bash shell.
>>>>>>>>>>>>>
>>>>>>>>>>>>> http://seclists.org/oss-sec/2014/q3/650
>>>>>>>>>>>>>
>>>>>>>>>>>>> I tested it on Debian stable from two days ago
>>>>>>>>>>>>> and indeed, I could execute code after a function
>>>>>>>>>>>>> definition in an environment variable. A server I
>>>>>>>>>>>>> updated yesterday evening was not vulnerable, as
>>>>>>>>>>>>> the Debian team got a patch released quite fast.
>>>>>>>>>>>>>
>>>>>>>>>>>>> This effects any server you run any code on,
>>>>>>>>>>>>> though the remote code execution attack vector is
>>>>>>>>>>>>> unlikely for many contemporary application
>>>>>>>>>>>>> servers. Read the write up for details about a
>>>>>>>>>>>>> proof of concept.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Good Morning!
>>>>>>>>>>>>>
>>>>>>>>>>>>> -lee
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> Guardian-dev mailing list
>>>>>>>>>>>>>
>>>>>>>>>>>>> Post: Guardian-dev at lists.mayfirst.org
>>>>>>>>>>>>> <javascript:;> List info:
>>>>>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>> To Unsubscribe Send email to:
>>>>>>>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
>>>>>>>>>>>>> <javascript:;> Or visit:
>>>>>>>>>>>>>
>>>>>>>>>>
>>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>
>>>>>
>>> You are subscribed as: c1.android at niftybox.net <javascript:;>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Guardian-dev mailing list
>>>>>>>>>>>
>>>>>>>>>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;>
>>>>>>>>>>> List info:
>>>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>> To Unsubscribe Send email to:
>>>>>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
>>>>>>>>>> <javascript:;>
>>>>>>>>>>> Or visit:
>>>>>>>>>>
>>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>
>>>>>
>>> You are subscribed as: hans at guardianproject.info <javascript:;>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F
>>>>>>>>>> E587 374B BE81
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Guardian-dev mailing list
>>>>>>>>>>
>>>>>>>>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;>
>>>>>>>>>> List info:
>>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>> To Unsubscribe Send email to:
>>>>>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
>>>>>>>>>> <javascript:;> Or visit:
>>>>>>>>>>
>>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>
>>>>>
>>> You are subscribed as: lee at guardianproject.info <javascript:;>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>
>>>>>> _______________________________________________ Guardian-dev
>>>>>> mailing list
>>>>>>
>>>>>> Post: Guardian-dev at lists.mayfirst.org List info:
>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>>
>>>>>> To Unsubscribe Send email to:
>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org Or visit:
>>>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com
>>>>>>
>>>>>>
>>>>>>
>>> You are subscribed as: chrisballinger at gmail.com
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________ Guardian-dev
>>>>> mailing list
>>>>>
>>>>> Post: Guardian-dev at lists.mayfirst.org List info:
>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>
>>>>> To Unsubscribe Send email to:
>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org Or visit:
>>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>>>>
>>>>>
>>>>>
>>> You are subscribed as: hans at guardianproject.info
>>>>>
>>>
>>>
>>> _______________________________________________
>>> Guardian-dev mailing list
>>>
>>> Post: Guardian-dev at lists.mayfirst.org
>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>
>>> To Unsubscribe
>>> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
>>> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>>
>>> You are subscribed as: hans at guardianproject.info
>>>
>>
>>
>>
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
>> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info
>>
>> You are subscribed as: lee at guardianproject.info
>>
>
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>
> You are subscribed as: hans at guardianproject.info
>
--
PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
More information about the Guardian-dev
mailing list