[SR-Users] Bash Code Injection and 'exec' module
Daniel-Constantin Mierla
miconda at gmail.com
Thu Sep 25 16:52:35 CEST 2014
Hi Seudin,
thanks for heads up for vulnerabilities out there affecting us and the
patch!
One comment regarding the patch, I see this comparison:
if (!strncmp(w->u.hf->body.s,"() {",MIN(w->u.hf->body.len,2))) {
and I see as being compared of size 4 string. Missing something?
Cheers,
Daniel
On 25/09/14 16:40, Seudin Kasumovic wrote:
> Hi kamailio users,
>
> we are witnesses of new discovered bug in bash: Bash Code Injection
> Vulnerability via Specially Crafted Environment Variables
> (CVE-2014-6271) https://access.redhat.com/node/1200223
>
> As exec module exports all SIP headers in environment so it's was easy
> to push bash command.
>
> There is attached simple kamailio test config file.
> With sipp we sent header to output 123 into file /tmp/123 like this:
>
> User-Agent: () { :;}; echo 123 > /tmp/123
>
> Debug output from kamailio is:
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CONTENT_LENGTH=135
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CONTENT_TYPE=application/sdp
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE,
> NOTIFY, INFO, PUBLISH
>
> * 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123*
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_SUBJECT=Performance Test
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_MAX_FORWARDS=70
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CONTACT=<sip:T00157 at 198.51.100.2:5060
> <http://sip:T00157@198.51.100.2:5060>>
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CSEQ=1
> INVITE
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CALLID=1-5394 at 198.51.100.2 <mailto:1-5394 at 198.51.100.2>
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_TO=+442033998806 <sip:+442033998806 at orange.voip>
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_FROM=+442033998833 <sip:T00157 at orange.voip>;tag=5394SIPpTag001
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0
>
> 5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing
> [/bin/true]
>
> ls /tmp shows new created file !!!
>
> I created simple patch to fix this issue in exec module based on
> suggestion from RedHat until you fix your bash what is recommended.
>
> --
> Seudin Kasumovic
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Next Kamailio Advanced Trainings 2014 - http://www.asipto.com
Sep 22-25, Berlin, Germany
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140925/c17d121f/attachment.html>
More information about the sr-users
mailing list