OK, ignore my previous email then...
Thanks again,
Daniel
On 25/09/14 16:51, Seudin Kasumovic wrote:
sorry, I attached wrong patch in previous post
here is new with fixed body length comparison.
On Thu, Sep 25, 2014 at 4:40 PM, Seudin Kasumovic
<seudin.kasumovic(a)gmail.com <mailto:seudin.kasumovic@gmail.com>> wrote:
Hi kamailio users,
we are witnesses of new discovered bug in bash: Bash Code
Injection Vulnerability via Specially Crafted Environment
Variables (CVE-2014-6271)
https://access.redhat.com/node/1200223
As exec module exports all SIP headers in environment so it's was
easy to push bash command.
There is attached simple kamailio test config file.
With sipp we sent header to output 123 into file /tmp/123 like this:
User-Agent: () { :;}; echo 123 > /tmp/123
Debug output from kamailio is:
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_CONTENT_LENGTH=135
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_CONTENT_TYPE=application/sdp
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE,
NOTIFY, INFO, PUBLISH
* 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123*
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_SUBJECT=Performance Test
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_MAX_FORWARDS=70
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_CONTACT=<sip:T00157@198.51.100.2:5060
<http://sip:T00157@198.51.100.2:5060>>
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_CSEQ=1 INVITE
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_CALLID=1-5394(a)198.51.100.2 <mailto:1-5394@198.51.100.2>
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_TO=+442033998806 <tel:%2B442033998806> <sip:+442033998806
<tel:%2B442033998806>@orange.voip>
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_FROM=+442033998833 <tel:%2B442033998833>
<sip:T00157@orange.voip>;tag=5394SIPpTag001
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0
5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing
[/bin/true]
ls /tmp shows new created file !!!
I created simple patch to fix this issue in exec module based on
suggestion from RedHat until you fix your bash what is recommended.
--
Seudin Kasumovic
--
MSC Seudin Kasumovic
Tuzla, Bosnia
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda -
http://www.linkedin.com/in/miconda
Next Kamailio Advanced Trainings 2014 -
http://www.asipto.com
Sep 22-25, Berlin, Germany