Another reason why bash should never be your /bin/sh. For scripts that need bash, they can easily use the shebang #!/bin/bash. dash provides a more secure, faster /bin/sh that is /bin/sh without unneeded extras.
.hc Chris Ballinger wrote: > Saw this SIP server Shellshock scanner today: > https://github.com/zaf/sipshock > >> The exec module in Kamailio, Opensips and propably every other SER fork > passes the received SIP headers as environment viarables to the invoking > shell. This makes these SIP proxies vulnerable to CVE-2014-6271 (Bash > Shellshock). If a proxy is using any of the exec funtions and has the > 'setvars' parameter set to 1 (default) then by sending SIP message > containing a specially crafted header we can run arbitrary code on the > proxy machine. > > Every time I read about the Shellshock vulnerability I get flashbacks to > this SNES game: https://www.youtube.com/watch?v=lASNUQ7M8gs > > On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello <[email protected]> > wrote: > > Weird. I'm using a Wheezy base install built via debootstrap on an > Open Hosting container. It uses bash by default for the root user. > Perhaps debootstrap or my platform build scripts override the default > shell for root to be bash? > > Anyhoo, I think most people prefer Bash because it is very close to a > real programming language. This shellshock shitstorm might be a > setback for popular programming culture. > > -lee > > On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote: >>>> >>>> That's for "Lenny users:". See this section: >>>> >>>> Squeeze users: >>>> >>>> * Dash is always installed. * /bin/sh is dash by default (even for >>>> upgraded systems). >>>> >>>> .hc >>>> >>>> Lee Azzarello wrote: >>>>> I'm confused. The article you linked is instructions to install >>>>> dash and configure a base system to use it as default. Am I >>>>> misunderstanding something? >>>>> >>>>> -lee >>>>> >>>>> On Thursday, September 25, 2014, Hans-Christoph Steiner < >>>>> [email protected]> wrote: >>>>> >>>>>> >>>>>> dash is still the default /bin/sh, for speed and security, but >>>>>> you can change that to bash if you want: >>>>>> https://wiki.debian.org/DashAsBinSh >>>>>> >>>>>> Ubuntu also uses dash by default: >>>>>> https://wiki.ubuntu.com/DashAsBinSh >>>>>> >>>>>> .hc >>>>>> >>>>>> Lee Azzarello wrote: >>>>>>> This output is from a Debian stable base system built with >>>>>>> debootstrap and no additional packages installed. >>>>>>> >>>>>>> root@debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 Jun 17 >>>>>>> 21:47 /bin/sh -> bash >>>>>>> >>>>>>> I don't think Debian has used Dash since Sarge. >>>>>>> >>>>>>> -lee >>>>>>> >>>>>>> On 9/25/14, 1:36 PM, Dev Random wrote: >>>>>>>> This seems mitigated by the fact that /bin/sh is -> dash on >>>>>>>> debian. So unless something does explicitly #!/bin/bash, >>>>>>>> things should be okay. >>>>>>> >>>>>>>> BTW, there's a related vuln that's not fixed yet - >>>>>>>> CVE-2014-7169 https://news.ycombinator.com/item?id=8365158 >>>>>>> >>>>>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote: >>>>>>>>> A remote code execution bug was found in the GNU Bash >>>>>>>>> shell. >>>>>>>>> >>>>>>>>> http://seclists.org/oss-sec/2014/q3/650 >>>>>>>>> >>>>>>>>> I tested it on Debian stable from two days ago and >>>>>>>>> indeed, I could execute code after a function definition >>>>>>>>> in an environment variable. A server I updated yesterday >>>>>>>>> evening was not vulnerable, as the Debian team got a >>>>>>>>> patch released quite fast. >>>>>>>>> >>>>>>>>> This effects any server you run any code on, though the >>>>>>>>> remote code execution attack vector is unlikely for many >>>>>>>>> contemporary application servers. Read the write up for >>>>>>>>> details about a proof of concept. >>>>>>>>> >>>>>>>>> Good Morning! >>>>>>>>> >>>>>>>>> -lee _______________________________________________ >>>>>>>>> Guardian-dev mailing list >>>>>>>>> >>>>>>>>> Post: [email protected] <javascript:;> List >>>>>>>>> info: >>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>>>>> >>>>>>>>> To Unsubscribe Send email to: >>>>>>>>> [email protected] >>>>>>>>> <javascript:;> Or visit: >>>>>>>>> >>>>>> > https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> >>>>>> > You are subscribed as: [email protected] <javascript:;> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ Guardian-dev >>>>>>> mailing list >>>>>>> >>>>>>> Post: [email protected] <javascript:;> List >>>>>>> info: >>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>>> >>>>>>> To Unsubscribe Send email to: >>>>>>> [email protected] >>>>>> <javascript:;> >>>>>>> Or visit: >>>>>> > https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info >>>>>>> >>>>>>> >>>>>> > You are subscribed as: [email protected] <javascript:;> >>>>>>> >>>>>> >>>>>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 >>>>>> 374B BE81 _______________________________________________ >>>>>> Guardian-dev mailing list >>>>>> >>>>>> Post: [email protected] <javascript:;> List info: >>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>> >>>>>> To Unsubscribe Send email to: >>>>>> [email protected] <javascript:;> Or >>>>>> visit: >>>>>> > https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info >>>>>> >>>>>> >>>>>> > You are subscribed as: [email protected] <javascript:;> >>>>>> >>>>> >>>> > >> _______________________________________________ >> Guardian-dev mailing list >> >> Post: [email protected] >> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >> >> To Unsubscribe >> Send email to: [email protected] >> Or visit: >> https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com >> >> You are subscribed as: [email protected] >> > > > > _______________________________________________ > Guardian-dev mailing list > > Post: [email protected] > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > > To Unsubscribe > Send email to: [email protected] > Or visit: > https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info > > You are subscribed as: [email protected] > -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
