-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris, you rule thanks. This is the first peep about SIP security I have /ever received from anyone at any time/. I'm checking the server but I don't think I'm using that module. I don't have to execute shell scripts for anything on the Kamailio layer in ostel.co. I also updated the shell a few hours after the public announcement of the exploit so it should be moot but the escalating panic is stronk.
- -lee On 9/26/14, 1:02 PM, Chris Ballinger wrote: > Saw this SIP server Shellshock scanner today: > https://github.com/zaf/sipshock > >> The exec module in Kamailio, Opensips and propably every other >> SER > fork passes the received SIP headers as environment viarables to > the invoking shell. This makes these SIP proxies vulnerable to > CVE-2014-6271 (Bash Shellshock). If a proxy is using any of the > exec funtions and has the 'setvars' parameter set to 1 (default) > then by sending SIP message containing a specially crafted header > we can run arbitrary code on the proxy machine. > > Every time I read about the Shellshock vulnerability I get > flashbacks to this SNES game: > https://www.youtube.com/watch?v=lASNUQ7M8gs > > On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello > <[email protected] <mailto:[email protected]>> > wrote: > > Weird. I'm using a Wheezy base install built via debootstrap on an > Open Hosting container. It uses bash by default for the root user. > Perhaps debootstrap or my platform build scripts override the > default shell for root to be bash? > > Anyhoo, I think most people prefer Bash because it is very close to > a real programming language. This shellshock shitstorm might be a > setback for popular programming culture. > > -lee > > On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote: > >> That's for "Lenny users:". See this section: > >> Squeeze users: > >> * Dash is always installed. * /bin/sh is dash by default (even >> for upgraded systems). > >> .hc > >> Lee Azzarello wrote: >>> I'm confused. The article you linked is instructions to >>> install dash and configure a base system to use it as default. >>> Am I misunderstanding something? >>> >>> -lee >>> >>> On Thursday, September 25, 2014, Hans-Christoph Steiner < >>> [email protected] <mailto:[email protected]>> >>> wrote: >>> >>>> >>>> dash is still the default /bin/sh, for speed and security, >>>> but you can change that to bash if you want: >>>> https://wiki.debian.org/DashAsBinSh >>>> >>>> Ubuntu also uses dash by default: >>>> https://wiki.ubuntu.com/DashAsBinSh >>>> >>>> .hc >>>> >>>> Lee Azzarello wrote: >>>>> This output is from a Debian stable base system built with >>>>> debootstrap and no additional packages installed. >>>>> >>>>> root@debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 Jun >>>>> 17 21:47 /bin/sh -> bash >>>>> >>>>> I don't think Debian has used Dash since Sarge. >>>>> >>>>> -lee >>>>> >>>>> On 9/25/14, 1:36 PM, Dev Random wrote: >>>>>> This seems mitigated by the fact that /bin/sh is -> dash >>>>>> on debian. So unless something does explicitly >>>>>> #!/bin/bash, things should be okay. >>>>> >>>>>> BTW, there's a related vuln that's not fixed yet - >>>>>> CVE-2014-7169 >>>>>> https://news.ycombinator.com/item?id=8365158 >>>>> >>>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote: >>>>>>> A remote code execution bug was found in the GNU Bash >>>>>>> shell. >>>>>>> >>>>>>> http://seclists.org/oss-sec/2014/q3/650 >>>>>>> >>>>>>> I tested it on Debian stable from two days ago and >>>>>>> indeed, I could execute code after a function >>>>>>> definition in an environment variable. A server I >>>>>>> updated yesterday evening was not vulnerable, as the >>>>>>> Debian team got a patch released quite fast. >>>>>>> >>>>>>> This effects any server you run any code on, though >>>>>>> the remote code execution attack vector is unlikely for >>>>>>> many contemporary application servers. Read the write >>>>>>> up for details about a proof of concept. >>>>>>> >>>>>>> Good Morning! >>>>>>> >>>>>>> -lee _______________________________________________ >>>>>>> Guardian-dev mailing list >>>>>>> >>>>>>> Post: [email protected] > <mailto:[email protected]> <javascript:;> List >>>>>>> info: >>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>>> >>>>>>> >>>>>>> To Unsubscribe Send email to: >>>>>>> [email protected] > <mailto:[email protected]> >>>>>>> <javascript:;> Or visit: >>>>>>> >>>> > https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net >>>>>>> >>>>>>> >>>>>>> >>>>> >>>> > > You are subscribed as: [email protected] > <mailto:[email protected]> <javascript:;> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Guardian-dev mailing list >>>>> >>>>> Post: [email protected] > <mailto:[email protected]> <javascript:;> List >>>>> info: >>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>> >>>>> To Unsubscribe Send email to: >>>>> [email protected] > <mailto:[email protected]> >>>> <javascript:;> >>>>> Or visit: >>>> > https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info >>>>> >>>>> >>>> > > You are subscribed as: [email protected] > <mailto:[email protected]> <javascript:;> >>>>> >>>> >>>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 >>>> 374B BE81 _______________________________________________ >>>> Guardian-dev mailing list >>>> >>>> Post: [email protected] > <mailto:[email protected]> <javascript:;> List info: >>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>> >>>> To Unsubscribe Send email to: >>>> [email protected] > <mailto:[email protected]> <javascript:;> > Or >>>> visit: >>>> > https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info >>>> >>>> >>>> > > You are subscribed as: [email protected] > <mailto:[email protected]> <javascript:;> >>>> >>> > > > _______________________________________________ Guardian-dev > mailing list > > Post: [email protected] > <mailto:[email protected]> List info: > https://lists.mayfirst.org/mailman/listinfo/guardian-dev > > To Unsubscribe Send email to: > [email protected] > <mailto:[email protected]> Or visit: > https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com > > You are subscribed as: [email protected] > <mailto:[email protected]> > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUJnShAAoJEKhL9IoSyjdlr0MQAMN5VBh8wAdanPai4l15SMls D+X0QBdOzXOWM1rhZes93p7ExVqBoNz7KGL9byoOluiEVg2dx3Kzq5tUJN+pdHeP v/4J06y84EoPMozoAvpF9WSl4YszYOxKE66T11AwE/tMOK7hIOLUlDqxBRRh6n1R 5pEju7F/9e2L8xVoUrHb/DjfY5RpMhNRc565fvLuks92dxHEervk6uPkvCrXmmsE 36PvFQs0QK0uI5/dN6tr1sjMDPjcVVi5kyxyPclnk3J6LKuOYaM4f7+XfM2E/yOk 7JfoXctusg2BIz/URsepdrbhYGR9wHFIUiWpm9fQNLDSAmI/wnIanK3iufqHIDw7 0hSVzS+5Jw3882VpYhwDayALB8nMTDk/uyQCDrJtj6jatWYBctS5d+rhZ3vJZfb0 Gy3MHL8Sh+LcKmNiDs2MiNNdkdFO3qhYtTwz39Q/IY34e2ODl5DeUF1s27xK39vj aiOTeNT0jtYOiCdAwVqw7bCueWOpbfowRzCDkDdUMereVeuR6jrRQfdH1oE4doeJ yXvrBDlInHLXAEcaepH6l9oSymj67VyZKeThUf56iSrPyg6jFjEdRU1+cGieSWPJ /ibURaG0m1rREWtMkjcTlW3P6uH8i2VWK7e14i/wZZqwI/tAqlxYWttQqthir7KR 1PGWLFILYSqjjtqh9+Fu =k/DH -----END PGP SIGNATURE----- _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
