Saw this SIP server Shellshock scanner today: https://github.com/zaf/sipshock
> The exec module in Kamailio, Opensips and propably every other SER fork passes the received SIP headers as environment viarables to the invoking shell. This makes these SIP proxies vulnerable to CVE-2014-6271 (Bash Shellshock). If a proxy is using any of the exec funtions and has the 'setvars' parameter set to 1 (default) then by sending SIP message containing a specially crafted header we can run arbitrary code on the proxy machine. Every time I read about the Shellshock vulnerability I get flashbacks to this SNES game: https://www.youtube.com/watch?v=lASNUQ7M8gs On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Weird. I'm using a Wheezy base install built via debootstrap on an > Open Hosting container. It uses bash by default for the root user. > Perhaps debootstrap or my platform build scripts override the default > shell for root to be bash? > > Anyhoo, I think most people prefer Bash because it is very close to a > real programming language. This shellshock shitstorm might be a > setback for popular programming culture. > > - -lee > > On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote: > > > > That's for "Lenny users:". See this section: > > > > Squeeze users: > > > > * Dash is always installed. * /bin/sh is dash by default (even for > > upgraded systems). > > > > .hc > > > > Lee Azzarello wrote: > >> I'm confused. The article you linked is instructions to install > >> dash and configure a base system to use it as default. Am I > >> misunderstanding something? > >> > >> -lee > >> > >> On Thursday, September 25, 2014, Hans-Christoph Steiner < > >> [email protected]> wrote: > >> > >>> > >>> dash is still the default /bin/sh, for speed and security, but > >>> you can change that to bash if you want: > >>> https://wiki.debian.org/DashAsBinSh > >>> > >>> Ubuntu also uses dash by default: > >>> https://wiki.ubuntu.com/DashAsBinSh > >>> > >>> .hc > >>> > >>> Lee Azzarello wrote: > >>>> This output is from a Debian stable base system built with > >>>> debootstrap and no additional packages installed. > >>>> > >>>> root@debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 Jun 17 > >>>> 21:47 /bin/sh -> bash > >>>> > >>>> I don't think Debian has used Dash since Sarge. > >>>> > >>>> -lee > >>>> > >>>> On 9/25/14, 1:36 PM, Dev Random wrote: > >>>>> This seems mitigated by the fact that /bin/sh is -> dash on > >>>>> debian. So unless something does explicitly #!/bin/bash, > >>>>> things should be okay. > >>>> > >>>>> BTW, there's a related vuln that's not fixed yet - > >>>>> CVE-2014-7169 https://news.ycombinator.com/item?id=8365158 > >>>> > >>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote: > >>>>>> A remote code execution bug was found in the GNU Bash > >>>>>> shell. > >>>>>> > >>>>>> http://seclists.org/oss-sec/2014/q3/650 > >>>>>> > >>>>>> I tested it on Debian stable from two days ago and > >>>>>> indeed, I could execute code after a function definition > >>>>>> in an environment variable. A server I updated yesterday > >>>>>> evening was not vulnerable, as the Debian team got a > >>>>>> patch released quite fast. > >>>>>> > >>>>>> This effects any server you run any code on, though the > >>>>>> remote code execution attack vector is unlikely for many > >>>>>> contemporary application servers. Read the write up for > >>>>>> details about a proof of concept. > >>>>>> > >>>>>> Good Morning! > >>>>>> > >>>>>> -lee _______________________________________________ > >>>>>> Guardian-dev mailing list > >>>>>> > >>>>>> Post: [email protected] <javascript:;> List > >>>>>> info: > >>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev > >>>>>> > >>>>>> To Unsubscribe Send email to: > >>>>>> [email protected] > >>>>>> <javascript:;> Or visit: > >>>>>> > >>> > https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net > >>>>>> > >>>>>> > >>>>>> > >>>> > >>> > You are subscribed as: [email protected] <javascript:;> > >>>> > >>>> > >>>> _______________________________________________ Guardian-dev > >>>> mailing list > >>>> > >>>> Post: [email protected] <javascript:;> List > >>>> info: > >>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev > >>>> > >>>> To Unsubscribe Send email to: > >>>> [email protected] > >>> <javascript:;> > >>>> Or visit: > >>> > https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info > >>>> > >>>> > >>> > You are subscribed as: [email protected] <javascript:;> > >>>> > >>> > >>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 > >>> 374B BE81 _______________________________________________ > >>> Guardian-dev mailing list > >>> > >>> Post: [email protected] <javascript:;> List info: > >>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev > >>> > >>> To Unsubscribe Send email to: > >>> [email protected] <javascript:;> Or > >>> visit: > >>> > https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info > >>> > >>> > >>> > You are subscribed as: [email protected] <javascript:;> > >>> > >> > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBAgAGBQJUJNVZAAoJEKhL9IoSyjdlQVQP/iQYtoX6gUgUf8Q2MoExajx7 > Q1ul0s/R0xn6eAl3Fe9hDgKF7/H4jM7CyTxyRpeWkhgaJ4gTiMcqblABoGszMiDp > HrpPHhXhcgq2IKSAELRzfkvHooJIRVE9QyQb1K4+W2kqRbDD1JWCZj4KVFt8dTBK > 9KFsGZ8nJdqM8t63YA4u5INVYbRWa/gCPesjMaOrL95t8F5OvMsFKgxMtuZj44XK > tiOhevYcp9zWP1XIoMRpazGkFUTx9KY6hRVz4QD6yw9/LL1B2qI7M7IkqV3+i0dK > 7K2mQAoVRE+P6c7QGID5HLH8T5sWNll8cQnuasZo8ElQbHLPv4SWjqRBMXFgFV1P > eDz3mpDVjC4gi1AP7BBTvqaYOMj42U8coP9RI0/CTbCsR+DX1IkjkkcWDqPOj2Gi > zLdGRP4N9hfMfcERtp7FeS8tG6lW8px2EstU3UwLTMRBXtmnREXJOBPGK8L6Wb/T > dp0VXO+kjrPV8xArD5GbvzqCs+ZvH6kTh2z6vU6TuldA+6LhY+15rvMzey5BwnOK > M2ZwTOBLCx8wmyJVvH5qObYVYFAleV+oYL55LINOfo4b+xwZr7L9Vj6vpUTWVybI > xx3F9csoklTFfycIGg5qdvQnqulq1yOcdagIHpKratKkmE+igcflAXD2WQMrZO3P > DxKtFq25bpwMo5HOxuBn > =gzNg > -----END PGP SIGNATURE----- > _______________________________________________ > Guardian-dev mailing list > > Post: [email protected] > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > > To Unsubscribe > Send email to: [email protected] > Or visit: > https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com > > You are subscribed as: [email protected] >
_______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
