[sr-dev] [kamailio] multiple /tmp file vulnerabilities (#48)

Victor Seva notifications at github.com
Tue Jan 20 10:46:34 CET 2015


Reported by: Helmut Grohne <helmut at subdivi.de>

The kamailio package now installs /etc/kamailio/kamailio-basic.cfg which
can be selected via the CFGFILE= setting in /etc/default/kamailio. The
configuration contains:
```
modparam("mi_fifo", "fifo_name", "/tmp/kamailio_fifo")
```
This setting is insecure and may allow local users to elevate privileges
to the kamailio user.

The issue extends to kamailio-advanced.cfg. It seems that this is due to
an incomplete fix of #712083. Looking further, the state of /tmp file
vulnerabilities in kamailio looks worrisome. Most of the results of the
following command (to be executed in the kamailio source) are likely
vulnerable if executed:
```
grep '/tmp/[a-z0-9_.-]\+\(\$\$\)\?\([" ]\|$\)' -r .
```
Granted, some of the results are examples, documentation or obsolete.
But quite a few reach the default settings:

 * kamcmd defaults to connecting to unixs:/tmp/kamailio_ctl.
 * The kamailio build definitely is vulnerable as can be seen in
   utils/kamctl/Makefile.

More research clearly is required here.  Given these findings, the
security team may want to veto the inclusion of kamailio in a stable
release, which would be very unfortunate as kamailio is quite a unique
piece of software with little competitors in its field.

Helmut

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775681

---
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/48
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20150120/ef512496/attachment.html>


More information about the sr-dev mailing list