-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I got tired of the hype. How's the following code for a mitigation, at least until bash is officially fixed?
The code is at http://ad5ey.net/bash_shock_fix.c And sig is at http://ad5ey.net/bash_shock_fix.c.asc Simple usage: cd /bin gcc -std=c11 -Wall -Wextra bash_shock_fix.c -o bash_shock_fix mv bash bash.real ln -s bash_shock_fix bash phoenix(pts/1):~bin# ls -al bash* lrwxrwxrwx 1 root root 14 Sep 27 00:23 bash -> bash_shock_fix - -rwxr-xr-x 1 root root 1029624 Sep 24 14:51 bash.real - -rwxr-xr-x 1 root root 9555 Sep 27 00:23 bash_shock_fix - -rw-r--r-- 1 root root 2990 Sep 27 00:23 bash_shock_fix.c phoenix(pts/1):~bin# Basically, if some program does invoke /bin/bash, control first passes to bash_shock_fix which truncates suspicious environment variables. (and it dumps messages to the system log if/when it finds anything...) The check should match for any variety of white space: =(){ =() { = ( ) { etc... but feel free to update it for whatever other stupid things bash allows. - - David On 9/27/14, 4:26 AM, Lee Azzarello wrote: | Chris, you rule thanks. This is the first peep about SIP security I | have /ever received from anyone at any time/. I'm checking the server | but I don't think I'm using that module. I don't have to execute shell | scripts for anything on the Kamailio layer in ostel.co. I also updated | the shell a few hours after the public announcement of the exploit so | it should be moot but the escalating panic is stronk. | | -lee | | On 9/26/14, 1:02 PM, Chris Ballinger wrote: |> Saw this SIP server Shellshock scanner today: |> https://github.com/zaf/sipshock | |>> The exec module in Kamailio, Opensips and propably every other |>> SER |> fork passes the received SIP headers as environment viarables to |> the invoking shell. This makes these SIP proxies vulnerable to |> CVE-2014-6271 (Bash Shellshock). If a proxy is using any of the |> exec funtions and has the 'setvars' parameter set to 1 (default) |> then by sending SIP message containing a specially crafted header |> we can run arbitrary code on the proxy machine. | |> Every time I read about the Shellshock vulnerability I get |> flashbacks to this SNES game: |> https://www.youtube.com/watch?v=lASNUQ7M8gs | |> On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello |> <[email protected] <mailto:[email protected]>> |> wrote: | |> Weird. I'm using a Wheezy base install built via debootstrap on an |> Open Hosting container. It uses bash by default for the root user. |> Perhaps debootstrap or my platform build scripts override the |> default shell for root to be bash? | |> Anyhoo, I think most people prefer Bash because it is very close to |> a real programming language. This shellshock shitstorm might be a |> setback for popular programming culture. | |> -lee | |> On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote: | |>> That's for "Lenny users:". See this section: | |>> Squeeze users: | |>> * Dash is always installed. * /bin/sh is dash by default (even |>> for upgraded systems). | |>> .hc | |>> Lee Azzarello wrote: |>>> I'm confused. The article you linked is instructions to |>>> install dash and configure a base system to use it as default. |>>> Am I misunderstanding something? |>>> |>>> -lee |>>> |>>> On Thursday, September 25, 2014, Hans-Christoph Steiner < |>>> [email protected] <mailto:[email protected]>> |>>> wrote: |>>> |>>>> |>>>> dash is still the default /bin/sh, for speed and security, |>>>> but you can change that to bash if you want: |>>>> https://wiki.debian.org/DashAsBinSh |>>>> |>>>> Ubuntu also uses dash by default: |>>>> https://wiki.ubuntu.com/DashAsBinSh |>>>> |>>>> .hc |>>>> |>>>> Lee Azzarello wrote: |>>>>> This output is from a Debian stable base system built with |>>>>> debootstrap and no additional packages installed. |>>>>> |>>>>> root@debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 Jun |>>>>> 17 21:47 /bin/sh -> bash |>>>>> |>>>>> I don't think Debian has used Dash since Sarge. |>>>>> |>>>>> -lee |>>>>> |>>>>> On 9/25/14, 1:36 PM, Dev Random wrote: |>>>>>> This seems mitigated by the fact that /bin/sh is -> dash |>>>>>> on debian. So unless something does explicitly |>>>>>> #!/bin/bash, things should be okay. |>>>>> |>>>>>> BTW, there's a related vuln that's not fixed yet - |>>>>>> CVE-2014-7169 |>>>>>> https://news.ycombinator.com/item?id=8365158 |>>>>> |>>>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote: |>>>>>>> A remote code execution bug was found in the GNU Bash |>>>>>>> shell. |>>>>>>> |>>>>>>> http://seclists.org/oss-sec/2014/q3/650 |>>>>>>> |>>>>>>> I tested it on Debian stable from two days ago and |>>>>>>> indeed, I could execute code after a function |>>>>>>> definition in an environment variable. A server I |>>>>>>> updated yesterday evening was not vulnerable, as the |>>>>>>> Debian team got a patch released quite fast. |>>>>>>> |>>>>>>> This effects any server you run any code on, though |>>>>>>> the remote code execution attack vector is unlikely for |>>>>>>> many contemporary application servers. Read the write |>>>>>>> up for details about a proof of concept. |>>>>>>> |>>>>>>> Good Morning! |>>>>>>> |>>>>>>> -lee _______________________________________________ -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUJqmYAAoJEOlCEloZIuIhmI8P/1wXQLrpHD35cmxYljWHcJGw IazrRqHJ+Hnkk8iEyqgLWPbQ8nqd6SoJ5tN3WCHGLOsQZBg4aZEbm5bLk0LYqtMM ooNuD9n3pWYh7+P47EzfbgSQHw2Lj3dpeL59nwUUaQXirec2KWBDboHaTqFoLsGQ UXZfsypxIjR7bvF902blzBaNQ7UiPKo1LHw6ICMumm7Gh+NbBCWDdiNp9nQnvEWA Ia2cpGLll77ZX27GQbpSnoyXpLjZ8oQEXAWODPHQ2W71KzzYY/T+dzRFLlddgH7L bVKB41xwEvu5CtVjuNpVPrhTtLffIU5TNh8Jz0V73Z9gJ5Rm4xm1xrxK+nqi/LLE +UHyuJ7acIkJ1XEXaaimG5VuHTUcHIR8CUBxuw9oFCztJP+vZCnkNWWniu/hrE0t SOlqwaB2Dt/0FeQTHZ1auOJfgQJGRqsMBmgxwoYKTg411DvR/upqU398tl4fkgyk 7psCU9FaPsujpZJnnmkTc8fWke/rEtgw+j8G+NXGN231KnPCczblcNcBlFAfxhRi 8s5lIOVVh0UVu1d04lsvlDjtwj1sJnT2Yn0B9wNgQGZwbWvAqXD6/5D01ajlcNAa wQFc/EZuuh996wZL4dxITzbWfROOmFm9qQxTNi2ZOkNiziryxAroz6O/MsgafXzW H44g7ODPVanwupLXaXFk =SV+t -----END PGP SIGNATURE----- _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
