[SR-Users] Bash Code Injection and 'exec' module
Daniel-Constantin Mierla
miconda at gmail.com
Thu Sep 25 17:07:08 CEST 2014
You patch was pushed to master, 4.1 and 4.0 branches.
In addition, I pushed a patch with a new module parameter that could
disable the escape of the sensitive header part, just in case would be
needed by people who know what they do. Not documented in readme, as
probably should be removed rather soon.
Cheers,
Daniel
On 25/09/14 16:51, Seudin Kasumovic wrote:
> sorry, I attached wrong patch in previous post
>
> here is new with fixed body length comparison.
>
> On Thu, Sep 25, 2014 at 4:40 PM, Seudin Kasumovic
> <seudin.kasumovic at gmail.com <mailto:seudin.kasumovic at gmail.com>> wrote:
>
> Hi kamailio users,
>
> we are witnesses of new discovered bug in bash: Bash Code
> Injection Vulnerability via Specially Crafted Environment
> Variables (CVE-2014-6271) https://access.redhat.com/node/1200223
>
> As exec module exports all SIP headers in environment so it's was
> easy to push bash command.
>
> There is attached simple kamailio test config file.
> With sipp we sent header to output 123 into file /tmp/123 like this:
>
> User-Agent: () { :;}; echo 123 > /tmp/123
>
> Debug output from kamailio is:
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CONTENT_LENGTH=135
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CONTENT_TYPE=application/sdp
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE,
> NOTIFY, INFO, PUBLISH
>
> * 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123*
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_SUBJECT=Performance Test
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_MAX_FORWARDS=70
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CONTACT=<sip:T00157 at 198.51.100.2:5060
> <http://sip:T00157@198.51.100.2:5060>>
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CSEQ=1 INVITE
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CALLID=1-5394 at 198.51.100.2 <mailto:1-5394 at 198.51.100.2>
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_TO=+442033998806 <tel:%2B442033998806> <sip:+442033998806
> <tel:%2B442033998806>@orange.voip>
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_FROM=+442033998833 <tel:%2B442033998833>
> <sip:T00157 at orange.voip>;tag=5394SIPpTag001
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0
>
> 5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing
> [/bin/true]
>
> ls /tmp shows new created file !!!
>
> I created simple patch to fix this issue in exec module based on
> suggestion from RedHat until you fix your bash what is recommended.
>
> --
> Seudin Kasumovic
>
>
>
>
> --
> MSC Seudin Kasumovic
> Tuzla, Bosnia
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Next Kamailio Advanced Trainings 2014 - http://www.asipto.com
Sep 22-25, Berlin, Germany
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140925/feef95b1/attachment.html>
More information about the sr-users
mailing list