[SR-Users] Bash Code Injection and 'exec' module

Daniel-Constantin Mierla miconda at gmail.com
Thu Sep 25 16:53:18 CEST 2014


OK, ignore my previous email then...

Thanks again,
Daniel

On 25/09/14 16:51, Seudin Kasumovic wrote:
> sorry, I attached wrong patch in previous post
>
> here is new with fixed body length comparison.
>
> On Thu, Sep 25, 2014 at 4:40 PM, Seudin Kasumovic 
> <seudin.kasumovic at gmail.com <mailto:seudin.kasumovic at gmail.com>> wrote:
>
>     Hi kamailio users,
>
>     we are witnesses of new discovered bug in bash:  Bash Code
>     Injection Vulnerability via Specially Crafted Environment
>     Variables (CVE-2014-6271) https://access.redhat.com/node/1200223
>
>     As exec module exports all SIP headers in environment so it's was
>     easy to push bash command.
>
>     There is attached simple kamailio test config file.
>     With sipp we sent header to output 123 into file /tmp/123 like this:
>
>     User-Agent: () { :;}; echo 123 > /tmp/123
>
>     Debug output from kamailio is:
>
>     5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
>     SIP_HF_CONTENT_LENGTH=135
>
>      5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
>     SIP_HF_CONTENT_TYPE=application/sdp
>
>      5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
>     SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE,
>     NOTIFY, INFO, PUBLISH
>
>     * 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
>     SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123*
>
>      5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
>     SIP_HF_SUBJECT=Performance Test
>
>      5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
>     SIP_HF_MAX_FORWARDS=70
>
>      5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
>     SIP_HF_CONTACT=<sip:T00157 at 198.51.100.2:5060
>     <http://sip:T00157@198.51.100.2:5060>>
>
>      5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
>     SIP_HF_CSEQ=1 INVITE
>
>      5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
>     SIP_HF_CALLID=1-5394 at 198.51.100.2 <mailto:1-5394 at 198.51.100.2>
>
>      5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
>     SIP_HF_TO=+442033998806 <tel:%2B442033998806> <sip:+442033998806
>     <tel:%2B442033998806>@orange.voip>
>
>      5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
>     SIP_HF_FROM=+442033998833 <tel:%2B442033998833>
>     <sip:T00157 at orange.voip>;tag=5394SIPpTag001
>
>      5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
>     SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0
>
>      5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing
>     [/bin/true]
>
>     ls /tmp shows new created file !!!
>
>     I created simple patch to fix this issue in exec module based on
>     suggestion from RedHat until you fix your bash what is recommended.
>
>     -- 
>     Seudin Kasumovic
>
>
>
>
> -- 
> MSC Seudin Kasumovic
> Tuzla, Bosnia
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Next Kamailio Advanced Trainings 2014 - http://www.asipto.com
Sep 22-25, Berlin, Germany

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140925/f8a6d82e/attachment.html>


More information about the sr-users mailing list