[SR-Users] Bash Code Injection and 'exec' module

Thu Sep 25 16:51:19 CEST 2014

sorry, I attached wrong patch in previous post

here is new with fixed body length comparison.

On Thu, Sep 25, 2014 at 4:40 PM, Seudin Kasumovic <
seudin.kasumovic at gmail.com> wrote:

> Hi kamailio users,
>
> we are witnesses of new discovered bug in bash:  Bash Code Injection
> Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
> https://access.redhat.com/node/1200223
>
> As exec module exports all SIP headers in environment so it's was easy to
> push bash command.
>
> There is attached simple kamailio test config file.
> With sipp we sent header to output 123 into file /tmp/123 like this:
>
> User-Agent: () { :;}; echo 123 > /tmp/123
>
> Debug output from kamailio is:
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CONTENT_LENGTH=135
>
>  5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CONTENT_TYPE=application/sdp
>
>  5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
> INFO, PUBLISH
>
> * 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123*
>
>  5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_SUBJECT=Performance Test
>
>  5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_MAX_FORWARDS=70
>
>  5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTACT=<
> sip:T00157 at 198.51.100.2:5060>
>
>  5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CSEQ=1 INVITE
>
>  5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CALLID=
> 1-5394 at 198.51.100.2
>
>  5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_TO=
> +442033998806 <sip:+442033998806 at orange.voip>
>
>  5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_FROM=
> +442033998833 <sip:T00157 at orange.voip>;tag=5394SIPpTag001
>
>  5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0
>
>  5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing [/bin/true]
> ls /tmp shows new created file !!!
>
> I created simple patch to fix this issue in exec module based on
> suggestion from RedHat until you fix your bash what is recommended.
>
> --
> Seudin Kasumovic
>
>


-- 
MSC Seudin Kasumovic
Tuzla, Bosnia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140925/8caa998c/attachment.html>
-------------- next part --------------

diff --git a/modules/exec/exec_hf.c b/modules/exec/exec_hf.c
index c83550f..96b990e 100644
--- a/modules/exec/exec_hf.c
+++ b/modules/exec/exec_hf.c
@@ -256,12 +256,22 @@ static int print_hf_var(struct hf_wrapper *w, int offset)
 	memcpy(envvar, w->prefix, w->prefix_len); c=envvar+w->prefix_len;
 	memcpy(c, hname, hlen ); c+=hlen;
 	*c=EV_ASSIGN;c++;
-	memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
-	c+=w->u.hf->body.len;
+	if (!strncmp(w->u.hf->body.s,"() {",MIN(w->u.hf->body.len,4))) {
+		memcpy(c, w->u.hf->body.s+offset+2, w->u.hf->body.len-2 );
+		c+=(w->u.hf->body.len-2);
+	} else {
+		memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
+		c+=w->u.hf->body.len;
+	}
 	for (wi=w->next_same; wi; wi=wi->next_same) {
 		*c=HF_SEPARATOR;c++;
-		memcpy(c, wi->u.hf->body.s+offset, wi->u.hf->body.len );
-		c+=wi->u.hf->body.len;
+		if (!strncmp(w->u.hf->body.s,"() {",MIN(w->u.hf->body.len,4))) {
+			memcpy(c, w->u.hf->body.s+offset+2, w->u.hf->body.len-2 );
+			c+=(w->u.hf->body.len-2);
+		} else {
+			memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
+			c+=w->u.hf->body.len;
+		}
 	}
 	*c=0; /* zero termination */
 	LM_DBG("%s\n", envvar );
