<div dir="ltr">sorry, I attached wrong patch in previous post<div><br></div><div>here is new with fixed body length comparison.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 25, 2014 at 4:40 PM, Seudin Kasumovic <span dir="ltr"><<a href="mailto:seudin.kasumovic@gmail.com" target="_blank">seudin.kasumovic@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi kamailio users,<div><br></div><div>we are witnesses of new discovered bug in bash: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) <a href="https://access.redhat.com/node/1200223" target="_blank">https://access.redhat.com/node/1200223</a></div><div><br></div><div>As exec module exports all SIP headers in environment so it's was easy to push bash command.<br></div><div><br></div><div>There is attached simple kamailio test config file.</div><div>With sipp we sent header to output 123 into file /tmp/123 like this:</div><div><br></div><div>User-Agent: () { :;}; echo 123 > /tmp/123<br></div><div><div><br></div><div>Debug output from kamailio is:</div><div><br></div><div>
<p>5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTENT_LENGTH=135</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTENT_TYPE=application/sdp</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH</p>
<p><b> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123</b></p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_SUBJECT=Performance Test</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_MAX_FORWARDS=70</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTACT=<<a href="http://sip:T00157@198.51.100.2:5060" target="_blank">sip:T00157@198.51.100.2:5060</a>></p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CSEQ=1 INVITE</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CALLID=<a href="mailto:1-5394@198.51.100.2" target="_blank">1-5394@198.51.100.2</a></p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_TO=<a href="tel:%2B442033998806" value="+442033998806" target="_blank">+442033998806</a> <sip:<a href="tel:%2B442033998806" value="+442033998806" target="_blank">+442033998806</a>@orange.voip></p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_FROM=<a href="tel:%2B442033998833" value="+442033998833" target="_blank">+442033998833</a> <sip:T00157@orange.voip>;tag=5394SIPpTag001</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0</p>
<p> 5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing [/bin/true]</p></div><div>ls /tmp shows new created file !!!</div><div><br></div><div>I created simple patch to fix this issue in exec module based on suggestion from RedHat until you fix your bash what is recommended.</div><span class="HOEnZb"><font color="#888888"><div><br></div>-- <br>Seudin Kasumovic<br><br></font></span></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>MSC Seudin Kasumovic<br>Tuzla, Bosnia
</div>