<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Hi Seudin,<br>
    <br>
    thanks for heads up for vulnerabilities out there affecting us and
    the patch!<br>
    <br>
    One comment regarding the patch, I see this comparison:<br>
    <br>
    if (!strncmp(w->u.hf->body.s,"()
    {",MIN(w->u.hf->body.len,2))) {<br>
    <br>
    and I see as being compared of size 4 string. Missing something?<br>
    <br>
    Cheers,<br>
    Daniel<br>
    <br>
    <div class="moz-cite-prefix">On 25/09/14 16:40, Seudin Kasumovic
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAHbz3+2MkDwQhKLLQ58MrZTsXAGrF5BuTVm_vOMC1+tcYiHfbQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">Hi kamailio users,
        <div><br>
        </div>
        <div>we are witnesses of new discovered bug in bash:  Bash Code
          Injection Vulnerability via Specially Crafted Environment
          Variables (CVE-2014-6271) <a moz-do-not-send="true"
            href="https://access.redhat.com/node/1200223">https://access.redhat.com/node/1200223</a></div>
        <div><br>
        </div>
        <div>As exec module exports all SIP headers in environment so
          it's was easy to push bash command.<br>
        </div>
        <div><br>
        </div>
        <div>There is attached simple kamailio test config file.</div>
        <div>With sipp we sent header to output 123 into file /tmp/123
          like this:</div>
        <div><br>
        </div>
        <div>User-Agent: () { :;}; echo 123 > /tmp/123<br>
        </div>
        <div>
          <div><br>
          </div>
          <div>Debug output from kamailio is:</div>
          <div><br>
          </div>
          <div>
            <p class="">5(30147) DEBUG: exec [exec_hf.c:278]:
              print_hf_var(): SIP_HF_CONTENT_LENGTH=135</p>
            <p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
              print_hf_var(): SIP_HF_CONTENT_TYPE=application/sdp</p>
            <p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
              print_hf_var(): SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS,
              BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH</p>
            <p class=""><b> 5(30147) DEBUG: exec [exec_hf.c:278]:
                print_hf_var(): SIP_HF_USER_AGENT=() { :;}; echo 123
                > /tmp/123</b></p>
            <p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
              print_hf_var(): SIP_HF_SUBJECT=Performance Test</p>
            <p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
              print_hf_var(): SIP_HF_MAX_FORWARDS=70</p>
            <p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
              print_hf_var(): SIP_HF_CONTACT=<<a
                moz-do-not-send="true"
                href="http://sip:T00157@198.51.100.2:5060">sip:T00157@198.51.100.2:5060</a>></p>
            <p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
              print_hf_var(): SIP_HF_CSEQ=1 INVITE</p>
            <p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
              print_hf_var(): SIP_HF_CALLID=<a moz-do-not-send="true"
                href="mailto:1-5394@198.51.100.2">1-5394@198.51.100.2</a></p>
            <p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
              print_hf_var(): SIP_HF_TO=+442033998806
              <a class="moz-txt-link-rfc2396E" href="sip:+442033998806@orange.voip"><sip:+442033998806@orange.voip></a></p>
            <p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
              print_hf_var(): SIP_HF_FROM=+442033998833
              <a class="moz-txt-link-rfc2396E" href="sip:T00157@orange.voip"><sip:T00157@orange.voip></a>;tag=5394SIPpTag001</p>
            <p class=""> 5(30147) DEBUG: exec [exec_hf.c:278]:
              print_hf_var(): SIP_HF_VIA=SIP/2.0/UDP
              198.51.100.2:5060;branch=z9hG4bK-5394-1-0</p>
            <p class=""> 5(30147) DEBUG: exec [exec_mod.c:175]:
              w_exec_msg(): executing [/bin/true]</p>
          </div>
          <div>ls /tmp shows new created file !!!</div>
          <div><br>
          </div>
          <div>I created simple patch to fix this issue in exec module
            based on suggestion from RedHat until you fix your bash what
            is recommended.</div>
          <div><br>
          </div>
          -- <br>
          Seudin Kasumovic<br>
          <br>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a>
<a class="moz-txt-link-freetext" href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Daniel-Constantin Mierla
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a>
Next Kamailio Advanced Trainings 2014 - <a class="moz-txt-link-freetext" href="http://www.asipto.com">http://www.asipto.com</a>
Sep 22-25, Berlin, Germany</pre>
  </body>
</html>