Hi kamailio users,

we are witnesses of new discovered bug in bash:  Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) https://access.redhat.com/node/1200223

As exec module exports all SIP headers in environment so it's was easy to push bash command.

There is attached simple kamailio test config file.
With sipp we sent header to output 123 into file /tmp/123 like this:

User-Agent: () { :;}; echo 123 > /tmp/123

Debug output from kamailio is:

5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTENT_LENGTH=135

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTENT_TYPE=application/sdp

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_SUBJECT=Performance Test

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_MAX_FORWARDS=70

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTACT=<sip:T00157@198.51.100.2:5060>

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CSEQ=1 INVITE

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CALLID=1-5394@198.51.100.2

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_TO=+442033998806 <sip:+442033998806@orange.voip>

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_FROM=+442033998833 <sip:T00157@orange.voip>;tag=5394SIPpTag001

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0

 5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing [/bin/true]

ls /tmp shows new created file !!!

I created simple patch to fix this issue in exec module based on suggestion from RedHat until you fix your bash what is recommended.

--
Seudin Kasumovic