-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If I'm not mistaken, you just recommended not using bash as a solution. is that correct?
- -lee On 9/26/14, 1:24 PM, Hans-Christoph Steiner wrote: > > Another reason why bash should never be your /bin/sh. For scripts > that need bash, they can easily use the shebang #!/bin/bash. dash > provides a more secure, faster /bin/sh that is /bin/sh without > unneeded extras. > > .hc > > Chris Ballinger wrote: >> Saw this SIP server Shellshock scanner today: >> https://github.com/zaf/sipshock >> >>> The exec module in Kamailio, Opensips and propably every other >>> SER fork >> passes the received SIP headers as environment viarables to the >> invoking shell. This makes these SIP proxies vulnerable to >> CVE-2014-6271 (Bash Shellshock). If a proxy is using any of the >> exec funtions and has the 'setvars' parameter set to 1 (default) >> then by sending SIP message containing a specially crafted header >> we can run arbitrary code on the proxy machine. >> >> Every time I read about the Shellshock vulnerability I get >> flashbacks to this SNES game: >> https://www.youtube.com/watch?v=lASNUQ7M8gs >> >> On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello >> <[email protected]> wrote: >> >> Weird. I'm using a Wheezy base install built via debootstrap on >> an Open Hosting container. It uses bash by default for the root >> user. Perhaps debootstrap or my platform build scripts override >> the default shell for root to be bash? >> >> Anyhoo, I think most people prefer Bash because it is very close >> to a real programming language. This shellshock shitstorm might >> be a setback for popular programming culture. >> >> -lee >> >> On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote: >>>>> >>>>> That's for "Lenny users:". See this section: >>>>> >>>>> Squeeze users: >>>>> >>>>> * Dash is always installed. * /bin/sh is dash by default >>>>> (even for upgraded systems). >>>>> >>>>> .hc >>>>> >>>>> Lee Azzarello wrote: >>>>>> I'm confused. The article you linked is instructions to >>>>>> install dash and configure a base system to use it as >>>>>> default. Am I misunderstanding something? >>>>>> >>>>>> -lee >>>>>> >>>>>> On Thursday, September 25, 2014, Hans-Christoph Steiner >>>>>> < [email protected]> wrote: >>>>>> >>>>>>> >>>>>>> dash is still the default /bin/sh, for speed and >>>>>>> security, but you can change that to bash if you want: >>>>>>> https://wiki.debian.org/DashAsBinSh >>>>>>> >>>>>>> Ubuntu also uses dash by default: >>>>>>> https://wiki.ubuntu.com/DashAsBinSh >>>>>>> >>>>>>> .hc >>>>>>> >>>>>>> Lee Azzarello wrote: >>>>>>>> This output is from a Debian stable base system built >>>>>>>> with debootstrap and no additional packages >>>>>>>> installed. >>>>>>>> >>>>>>>> root@debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 >>>>>>>> Jun 17 21:47 /bin/sh -> bash >>>>>>>> >>>>>>>> I don't think Debian has used Dash since Sarge. >>>>>>>> >>>>>>>> -lee >>>>>>>> >>>>>>>> On 9/25/14, 1:36 PM, Dev Random wrote: >>>>>>>>> This seems mitigated by the fact that /bin/sh is -> >>>>>>>>> dash on debian. So unless something does explicitly >>>>>>>>> #!/bin/bash, things should be okay. >>>>>>>> >>>>>>>>> BTW, there's a related vuln that's not fixed yet - >>>>>>>>> CVE-2014-7169 >>>>>>>>> https://news.ycombinator.com/item?id=8365158 >>>>>>>> >>>>>>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello >>>>>>>>> wrote: >>>>>>>>>> A remote code execution bug was found in the GNU >>>>>>>>>> Bash shell. >>>>>>>>>> >>>>>>>>>> http://seclists.org/oss-sec/2014/q3/650 >>>>>>>>>> >>>>>>>>>> I tested it on Debian stable from two days ago >>>>>>>>>> and indeed, I could execute code after a function >>>>>>>>>> definition in an environment variable. A server I >>>>>>>>>> updated yesterday evening was not vulnerable, as >>>>>>>>>> the Debian team got a patch released quite fast. >>>>>>>>>> >>>>>>>>>> This effects any server you run any code on, >>>>>>>>>> though the remote code execution attack vector is >>>>>>>>>> unlikely for many contemporary application >>>>>>>>>> servers. Read the write up for details about a >>>>>>>>>> proof of concept. >>>>>>>>>> >>>>>>>>>> Good Morning! >>>>>>>>>> >>>>>>>>>> -lee >>>>>>>>>> _______________________________________________ >>>>>>>>>> Guardian-dev mailing list >>>>>>>>>> >>>>>>>>>> Post: [email protected] >>>>>>>>>> <javascript:;> List info: >>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> To Unsubscribe Send email to: >>>>>>>>>> [email protected] >>>>>>>>>> <javascript:;> Or visit: >>>>>>>>>> >>>>>>> >> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>>> >> >> You are subscribed as: [email protected] <javascript:;> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Guardian-dev mailing list >>>>>>>> >>>>>>>> Post: [email protected] <javascript:;> >>>>>>>> List info: >>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>>>> >>>>>>>> >>>>>>>> To Unsubscribe Send email to: >>>>>>>> [email protected] >>>>>>> <javascript:;> >>>>>>>> Or visit: >>>>>>> >> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info >>>>>>>> >>>>>>>> >>>>>>> >> >> You are subscribed as: [email protected] <javascript:;> >>>>>>>> >>>>>>> >>>>>>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F >>>>>>> E587 374B BE81 >>>>>>> _______________________________________________ >>>>>>> Guardian-dev mailing list >>>>>>> >>>>>>> Post: [email protected] <javascript:;> >>>>>>> List info: >>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>>> >>>>>>> >>>>>>> To Unsubscribe Send email to: >>>>>>> [email protected] >>>>>>> <javascript:;> Or visit: >>>>>>> >> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info >>>>>>> >>>>>>> >>>>>>> >> >> You are subscribed as: [email protected] <javascript:;> >>>>>>> >>>>>> >>>>> >> >>> _______________________________________________ Guardian-dev >>> mailing list >>> >>> Post: [email protected] List info: >>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>> >>> To Unsubscribe Send email to: >>> [email protected] Or visit: >>> https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com >>> >>> >>> You are subscribed as: [email protected] >>> >> >> >> >> _______________________________________________ Guardian-dev >> mailing list >> >> Post: [email protected] List info: >> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >> >> To Unsubscribe Send email to: >> [email protected] Or visit: >> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info >> >> >> You are subscribed as: [email protected] >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUJnY4AAoJEKhL9IoSyjdl+mMQAJYmcEH2ysYYEqhdQbffi5P+ kQfCyX/tYQzqhIS6/uenezTq2EkgMbCIKWvkZeFwBjPKyNsXhpyRjnXdGP0yCwQq 27hPNSWHuXELzUe41Fee7DjO1CBFPwo6kx957ua/6sep2eJToJsNTvxyJVbs6+JR bQA7YT3ppVF2jL869zcaqeCGe39OdvbIB8o44w/Lb5/HX0ngxmML8dzwQoxZ5g1p C2Q6sSiTknOuOxldOg/baT7Y8MHIAdll+2VMXbKjIexlyljeBCtfVF6PkI4dE717 zVgtPpHm5GsX9sXUaAk38l242NpU6yN9ZIBv0c728QSuKE6CrMeVgyB/8oT6MqDl uNEIALnv1Q0b5qrdDUy4Tz3pL0oHrVseTfAbqRoLFwgIvwBIJPuTm3ev12XFVMGo P5ilnRpju0/XmxW3QxAcfBll6zIqeiO+WxDNUitO4I/1MMHPrvkiOMdQxJeAlaXD fC0nCj7WV7blG1uWCS84V0sziWOKqmDUvRbm2GT+NgfBSYKMzeiFOKzFlNhLxnSZ aaYAVZ/+9i5fdLUW3/IPUCmE534zNhDbO3nwaAAY9/O2gl5MQ6je3gWkdsLCFgJD vO+ZVesSWNh6UvCklxj4IiQrufAZmOjb+j5Q+nZdU8ZSLSElXSxcDtal3ATPEoBf JYlLFGX/+/JE4HOWBqDM =k1d6 -----END PGP SIGNATURE----- _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
