Hello,
I would like to announce that Call for Presentations at Kamailio World
2023 is now open. You can submit your proposal or see more details at:
- https://www.kamailioworld.com/k2023/call-for-speakers/
The 11th edition of the conference returns to Berlin, Germany, during
June 5-7, 2023, as an in-person event. Expect a large range of
participants, developers and community members as well as
representatives of other popular open source VoIP projects such as
Asterisk or FreeSwitch.
Looking forward to meeting many of you there!
Cheers,
Daniel
--
Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio World Conference - June 5-7, 2023 - www.kamailioworld.com
Module: kamailio
Branch: master
Commit: 4f296b4058b75ef27b16a9f8fc2bf3ec2d8e896c
URL: https://github.com/kamailio/kamailio/commit/4f296b4058b75ef27b16a9f8fc2bf3e…
Author: Kamailio Dev <kamailio.dev(a)kamailio.org>
Committer: Kamailio Dev <kamailio.dev(a)kamailio.org>
Date: 2023-01-23T14:31:57+01:00
modules: readme files regenerated - exec ... [skip ci]
---
Modified: src/modules/exec/README
---
Diff: https://github.com/kamailio/kamailio/commit/4f296b4058b75ef27b16a9f8fc2bf3e…
Patch: https://github.com/kamailio/kamailio/commit/4f296b4058b75ef27b16a9f8fc2bf3e…
---
diff --git a/src/modules/exec/README b/src/modules/exec/README
index c16c8c54c7..4f1a3892b8 100644
--- a/src/modules/exec/README
+++ b/src/modules/exec/README
@@ -97,6 +97,20 @@ Chapter 1. Admin Guide
$$SIP_OUSER) in the parameters given to exec functions. Otherwise they
will be evaluated as Kamailio pseudo-variables, throwing errors.
+ WARNING: if the exec functions are passed variables that might include
+ malicious input, then remote attackers may abuse the exec functions to
+ execute arbitrary code. Specifically, this may result in OS command
+ injection. In such cases, input validation is required to prevent the
+ vulnerability. The following is an example of how input validation and
+ exec module functions may be used together to prevent exploitation:
+...
+if !($rU =~ "^[0-9]{1,15}$") {
+ xlog("Malformed R-URI username: '$rU'\n");
+ exit;
+}
+exec_msg("echo TEST >> /tmp/$(rU).txt");
+...
+
2. Dependencies
2.1. Kamailio Modules
@@ -167,7 +181,7 @@ modparam("exec", "time_to_kill", 20)
Example 1.3. exec_dset usage
...
exec_dset("echo TEST > /tmp/test.txt");
-exec_dset("echo TEST > /tmp/$rU.txt");
+exec_dset("echo TEST > /tmp/$(rU).txt");
...
4.2. exec_msg(command)
@@ -191,7 +205,7 @@ exec_dset("echo TEST > /tmp/$rU.txt");
Example 1.4. exec_msg usage
...
exec_msg("echo TEST > /tmp/test.txt");
-exec_msg("echo TEST > /tmp/$rU.txt");
+exec_msg("echo TEST > /tmp/$(rU).txt");
...
4.3. exec_avp(command [, avplist])
@@ -235,7 +249,7 @@ exec_avp("echo TEST", "$avp(s:test)");
Example 1.6. exec_cmd usage
...
exec_cmd("echo TEST > /tmp/test.txt");
-exec_cmd("echo TEST > /tmp/$rU.txt");
+exec_cmd("echo TEST > /tmp/$(rU).txt");
...
5. Known Issues
You can view, comment on, or merge this pull request online at:
https://github.com/kamailio/kamailio/pull/3335
-- Commit Summary --
* replace SIGINFO64_WORKARROUND with SIGINFO64_WORKAROUND
* utils/kamctl: typos
* doc/tutorials: typos
-- File Changes --
M doc/scripts/cdefs2doc/dump_cfg_defs.pl (2)
M doc/scripts/cdefs2doc/dump_counters.pl (2)
M doc/scripts/cdefs2doc/dump_rpcs.pl (2)
M doc/scripts/cdefs2doc/dump_selects.pl (2)
M doc/tutorials/cfg_list/Makefile (2)
M doc/tutorials/counter_list/Makefile (2)
M doc/tutorials/dns.txt (4)
M doc/tutorials/locking.txt (12)
M doc/tutorials/logging-api.txt (2)
M doc/tutorials/modules_init.txt (2)
M doc/tutorials/parse_headers.txt (2)
M doc/tutorials/presence/cfg/full_ps.cfg (8)
M doc/tutorials/presence/cfg/ps.cfg (12)
M doc/tutorials/presence/draft_iptel_im_rules.xml (4)
M doc/tutorials/presence/install.xml (2)
M doc/tutorials/presence/intro.xml (2)
M doc/tutorials/presence/trouble.xml (4)
M doc/tutorials/presence/xcap.xml (6)
M doc/tutorials/rpc/kamailio_rpc.txt (2)
M doc/tutorials/rpc/kamailio_rpc.xml (10)
M doc/tutorials/rpc_list/Makefile (2)
M doc/tutorials/rpc_list/docbook/rpc_malloc_test.xml (2)
M doc/tutorials/rpc_list/rpc_malloc_test.txt (2)
M doc/tutorials/select_list/Makefile (2)
M doc/tutorials/ser_radius/ser_radius.xml (2)
M doc/tutorials/serdev/db_interface.xml (2)
M doc/tutorials/serdev/hfname_parser.xml (4)
M doc/tutorials/serdev/locking.xml (6)
M doc/tutorials/serdev/modiface.xml (6)
M doc/tutorials/serdev/msg_start.xml (2)
M doc/tutorials/serdev/select_module.xml (6)
M doc/tutorials/serdev/startup.xml (8)
M doc/tutorials/serfaq/serfaq.xml (2)
M doc/tutorials/serhowto/ser-howto.xml (8)
M doc/tutorials/seruser/apps.xml (2)
M doc/tutorials/seruser/intro.xml (4)
M doc/tutorials/seruser/otherapps.xml (2)
M doc/tutorials/sip/sip_introduction.xml (8)
M doc/tutorials/tcp_tunning.txt (2)
M doc/tutorials/timers.txt (2)
M src/Makefile.defs (2)
M src/core/io_wait.h (4)
M utils/kamctl/dbtextdb/dbtextdb.py (14)
M utils/kamctl/kamctl.base (2)
M utils/kamctl/kamctlrc (2)
M utils/kamctl/kamdbctl (6)
M utils/kamctl/xhttp_pi/acc-mod (6)
M utils/kamctl/xhttp_pi/alias_db-mod (2)
M utils/kamctl/xhttp_pi/auth_db-mod (2)
M utils/kamctl/xhttp_pi/avpops-mod (2)
M utils/kamctl/xhttp_pi/carrierroute-mod (8)
M utils/kamctl/xhttp_pi/cpl-mod (2)
M utils/kamctl/xhttp_pi/dialog-mod (4)
M utils/kamctl/xhttp_pi/dialplan-mod (2)
M utils/kamctl/xhttp_pi/dispatcher-mod (2)
M utils/kamctl/xhttp_pi/domain-mod (4)
M utils/kamctl/xhttp_pi/domainpolicy-mod (2)
M utils/kamctl/xhttp_pi/drouting-mod (8)
M utils/kamctl/xhttp_pi/group-mod (4)
M utils/kamctl/xhttp_pi/htable-mod (2)
M utils/kamctl/xhttp_pi/imc-mod (4)
M utils/kamctl/xhttp_pi/lcr-mod (6)
M utils/kamctl/xhttp_pi/matrix-mod (2)
M utils/kamctl/xhttp_pi/mohqueue-mod (4)
M utils/kamctl/xhttp_pi/msilo-mod (2)
M utils/kamctl/xhttp_pi/mtree-mod (4)
M utils/kamctl/xhttp_pi/pdt-mod (2)
M utils/kamctl/xhttp_pi/permissions-mod (4)
M utils/kamctl/xhttp_pi/pi_framework-01 (6)
M utils/kamctl/xhttp_pi/pi_framework.xml (148)
M utils/kamctl/xhttp_pi/pipelimit-mod (2)
M utils/kamctl/xhttp_pi/presence-mod (10)
M utils/kamctl/xhttp_pi/purple-mod (2)
M utils/kamctl/xhttp_pi/registrar-mod (2)
M utils/kamctl/xhttp_pi/rls-mod (4)
M utils/kamctl/xhttp_pi/rtpengine-mod (2)
M utils/kamctl/xhttp_pi/rtpproxy-mod (2)
M utils/kamctl/xhttp_pi/sca-mod (2)
M utils/kamctl/xhttp_pi/secfilter-mod (2)
M utils/kamctl/xhttp_pi/siptrace-mod (2)
M utils/kamctl/xhttp_pi/speeddial-mod (2)
M utils/kamctl/xhttp_pi/standard-mod (2)
M utils/kamctl/xhttp_pi/topos-mod (4)
M utils/kamctl/xhttp_pi/uac-mod (2)
M utils/kamctl/xhttp_pi/uid_auth_db-mod (2)
M utils/kamctl/xhttp_pi/uid_avp_db-mod (2)
M utils/kamctl/xhttp_pi/uid_domain-mod (4)
M utils/kamctl/xhttp_pi/uid_gflags-mod (2)
M utils/kamctl/xhttp_pi/uid_uri_db-mod (4)
M utils/kamctl/xhttp_pi/uri_db-mod (2)
M utils/kamctl/xhttp_pi/userblocklist-mod (4)
M utils/kamctl/xhttp_pi/usrloc-mod (4)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/3335.patchhttps://github.com/kamailio/kamailio/pull/3335.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/3335
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/pull/3335(a)github.com>
Module: kamailio
Branch: master
Commit: f81f0e77c5ab67431af1f62f0e027379a3445951
URL: https://github.com/kamailio/kamailio/commit/f81f0e77c5ab67431af1f62f0e02737…
Author: Sandro Gauci <sandro(a)enablesecurity.com>
Committer: Daniel-Constantin Mierla <miconda(a)gmail.com>
Date: 2023-01-23T14:18:44+01:00
exec: docs - added security warning
- Added warning about potential for OS Command Injection
- Updated invalid examples
previous example gives the following error:
pv_parse_spec2(): error searching pvar "rU.txt"
---
Modified: src/modules/exec/doc/exec_admin.xml
---
Diff: https://github.com/kamailio/kamailio/commit/f81f0e77c5ab67431af1f62f0e02737…
Patch: https://github.com/kamailio/kamailio/commit/f81f0e77c5ab67431af1f62f0e02737…
---
diff --git a/src/modules/exec/doc/exec_admin.xml b/src/modules/exec/doc/exec_admin.xml
index fd0d88f4f5..93ea78cd87 100644
--- a/src/modules/exec/doc/exec_admin.xml
+++ b/src/modules/exec/doc/exec_admin.xml
@@ -77,6 +77,23 @@
Otherwise they will be evaluated as &kamailio; pseudo-variables,
throwing errors.
</para>
+ <para>
+ WARNING: if the exec functions are passed variables that might include
+ malicious input, then remote attackers may abuse the exec functions to
+ execute arbitrary code. Specifically, this may result in OS command injection.
+ In such cases, input validation is required to prevent the vulnerability.
+ The following is an example of how input validation and exec module
+ functions may be used together to prevent exploitation:
+ </para>
+ <programlisting format="linespecific">
+...
+if !($rU =~ "^[0-9]{1,15}$") {
+ xlog("Malformed R-URI username: '$rU'\n");
+ exit;
+}
+exec_msg("echo TEST >> /tmp/$(rU).txt");
+...
+ </programlisting>
</section>
<section>
@@ -186,7 +203,7 @@ modparam("exec", "time_to_kill", 20)
<programlisting format="linespecific">
...
exec_dset("echo TEST > /tmp/test.txt");
-exec_dset("echo TEST > /tmp/$rU.txt");
+exec_dset("echo TEST > /tmp/$(rU).txt");
...
</programlisting>
</example>
@@ -225,7 +242,7 @@ exec_dset("echo TEST > /tmp/$rU.txt");
<programlisting format="linespecific">
...
exec_msg("echo TEST > /tmp/test.txt");
-exec_msg("echo TEST > /tmp/$rU.txt");
+exec_msg("echo TEST > /tmp/$(rU).txt");
...
</programlisting>
</example>
@@ -300,7 +317,7 @@ exec_avp("echo TEST", "$avp(s:test)");
<programlisting format="linespecific">
...
exec_cmd("echo TEST > /tmp/test.txt");
-exec_cmd("echo TEST > /tmp/$rU.txt");
+exec_cmd("echo TEST > /tmp/$(rU).txt");
...
</programlisting>
</example>
@@ -315,4 +332,3 @@ exec_cmd("echo TEST > /tmp/$rU.txt");
</para>
</section>
</chapter>
-