[SR-Users] Bash Code Injection and 'exec' module

Thu Sep 25 16:40:56 CEST 2014

Hi kamailio users,

we are witnesses of new discovered bug in bash:  Bash Code Injection
Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
https://access.redhat.com/node/1200223

As exec module exports all SIP headers in environment so it's was easy to
push bash command.

There is attached simple kamailio test config file.
With sipp we sent header to output 123 into file /tmp/123 like this:

User-Agent: () { :;}; echo 123 > /tmp/123

Debug output from kamailio is:

5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_CONTENT_LENGTH=135

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_CONTENT_TYPE=application/sdp

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_ALLOW=INVITE,
ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

* 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123*

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_SUBJECT=Performance Test

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_MAX_FORWARDS=70

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTACT=<
sip:T00157 at 198.51.100.2:5060>

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CSEQ=1 INVITE

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CALLID=
1-5394 at 198.51.100.2

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_TO=+442033998806 <sip:+442033998806 at orange.voip>

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_FROM=+442033998833 <sip:T00157 at orange.voip>;tag=5394SIPpTag001

 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0

 5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing [/bin/true]
ls /tmp shows new created file !!!

I created simple patch to fix this issue in exec module based on suggestion
from RedHat until you fix your bash what is recommended.

-- 
Seudin Kasumovic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140925/1544e89e/attachment.html>
-------------- next part --------------

diff --git a/modules/exec/exec_hf.c b/modules/exec/exec_hf.c
index c83550f..96b990e 100644
--- a/modules/exec/exec_hf.c
+++ b/modules/exec/exec_hf.c
@@ -256,12 +256,22 @@ static int print_hf_var(struct hf_wrapper *w, int offset)
 	memcpy(envvar, w->prefix, w->prefix_len); c=envvar+w->prefix_len;
 	memcpy(c, hname, hlen ); c+=hlen;
 	*c=EV_ASSIGN;c++;
-	memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
-	c+=w->u.hf->body.len;
+	if (!strncmp(w->u.hf->body.s,"() {",MIN(w->u.hf->body.len,2))) {
+		memcpy(c, w->u.hf->body.s+offset+2, w->u.hf->body.len-2 );
+		c+=(w->u.hf->body.len-2);
+	} else {
+		memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
+		c+=w->u.hf->body.len;
+	}
 	for (wi=w->next_same; wi; wi=wi->next_same) {
 		*c=HF_SEPARATOR;c++;
-		memcpy(c, wi->u.hf->body.s+offset, wi->u.hf->body.len );
-		c+=wi->u.hf->body.len;
+		if (!strncmp(w->u.hf->body.s,"() {",MIN(w->u.hf->body.len,2))) {
+			memcpy(c, w->u.hf->body.s+offset+2, w->u.hf->body.len-2 );
+			c+=(w->u.hf->body.len-2);
+		} else {
+			memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
+			c+=w->u.hf->body.len;
+		}
 	}
 	*c=0; /* zero termination */
 	LM_DBG("%s\n", envvar );
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2014-6271.cfg
Type: application/octet-stream
Size: 374 bytes
Desc: not available
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140925/1544e89e/attachment.obj>
