[SR-Users] Bash Code Injection and 'exec' module
Daniel-Constantin Mierla
miconda at gmail.com
Thu Sep 25 16:53:18 CEST 2014
OK, ignore my previous email then...
Thanks again,
Daniel
On 25/09/14 16:51, Seudin Kasumovic wrote:
> sorry, I attached wrong patch in previous post
>
> here is new with fixed body length comparison.
>
> On Thu, Sep 25, 2014 at 4:40 PM, Seudin Kasumovic
> <seudin.kasumovic at gmail.com <mailto:seudin.kasumovic at gmail.com>> wrote:
>
> Hi kamailio users,
>
> we are witnesses of new discovered bug in bash: Bash Code
> Injection Vulnerability via Specially Crafted Environment
> Variables (CVE-2014-6271) https://access.redhat.com/node/1200223
>
> As exec module exports all SIP headers in environment so it's was
> easy to push bash command.
>
> There is attached simple kamailio test config file.
> With sipp we sent header to output 123 into file /tmp/123 like this:
>
> User-Agent: () { :;}; echo 123 > /tmp/123
>
> Debug output from kamailio is:
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CONTENT_LENGTH=135
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CONTENT_TYPE=application/sdp
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE,
> NOTIFY, INFO, PUBLISH
>
> * 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123*
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_SUBJECT=Performance Test
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_MAX_FORWARDS=70
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CONTACT=<sip:T00157 at 198.51.100.2:5060
> <http://sip:T00157@198.51.100.2:5060>>
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CSEQ=1 INVITE
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CALLID=1-5394 at 198.51.100.2 <mailto:1-5394 at 198.51.100.2>
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_TO=+442033998806 <tel:%2B442033998806> <sip:+442033998806
> <tel:%2B442033998806>@orange.voip>
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_FROM=+442033998833 <tel:%2B442033998833>
> <sip:T00157 at orange.voip>;tag=5394SIPpTag001
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0
>
> 5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing
> [/bin/true]
>
> ls /tmp shows new created file !!!
>
> I created simple patch to fix this issue in exec module based on
> suggestion from RedHat until you fix your bash what is recommended.
>
> --
> Seudin Kasumovic
>
>
>
>
> --
> MSC Seudin Kasumovic
> Tuzla, Bosnia
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Next Kamailio Advanced Trainings 2014 - http://www.asipto.com
Sep 22-25, Berlin, Germany
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140925/f8a6d82e/attachment.html>
More information about the sr-users
mailing list