<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
You patch was pushed to master, 4.1 and 4.0 branches.<br>
<br>
In addition, I pushed a patch with a new module parameter that could
disable the escape of the sensitive header part, just in case would
be needed by people who know what they do. Not documented in readme,
as probably should be removed rather soon.<br>
<br>
Cheers,<br>
Daniel<br>
<br>
<div class="moz-cite-prefix">On 25/09/14 16:51, Seudin Kasumovic
wrote:<br>
</div>
<blockquote
cite="mid:CAHbz3+2N8kUcNGxwT=NRG-SQErtRZvE3Ue6_UxDCMHo1PY+9JQ@mail.gmail.com"
type="cite">
<div dir="ltr">sorry, I attached wrong patch in previous post
<div><br>
</div>
<div>here is new with fixed body length comparison.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Sep 25, 2014 at 4:40 PM, Seudin
Kasumovic <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:seudin.kasumovic@gmail.com" target="_blank">seudin.kasumovic@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi kamailio users,
<div><br>
</div>
<div>we are witnesses of new discovered bug in bash: Bash
Code Injection Vulnerability via Specially Crafted
Environment Variables (CVE-2014-6271) <a
moz-do-not-send="true"
href="https://access.redhat.com/node/1200223"
target="_blank">https://access.redhat.com/node/1200223</a></div>
<div><br>
</div>
<div>As exec module exports all SIP headers in environment
so it's was easy to push bash command.<br>
</div>
<div><br>
</div>
<div>There is attached simple kamailio test config file.</div>
<div>With sipp we sent header to output 123 into file
/tmp/123 like this:</div>
<div><br>
</div>
<div>User-Agent: () { :;}; echo 123 > /tmp/123<br>
</div>
<div>
<div><br>
</div>
<div>Debug output from kamailio is:</div>
<div><br>
</div>
<div>
<p>5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_CONTENT_LENGTH=135</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_CONTENT_TYPE=application/sdp</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_ALLOW=INVITE, ACK, CANCEL,
OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO,
PUBLISH</p>
<p><b> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_USER_AGENT=() { :;}; echo
123 > /tmp/123</b></p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_SUBJECT=Performance Test</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_MAX_FORWARDS=70</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_CONTACT=<<a
moz-do-not-send="true"
href="http://sip:T00157@198.51.100.2:5060"
target="_blank">sip:T00157@198.51.100.2:5060</a>></p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_CSEQ=1 INVITE</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_CALLID=<a
moz-do-not-send="true"
href="mailto:1-5394@198.51.100.2" target="_blank">1-5394@198.51.100.2</a></p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_TO=<a moz-do-not-send="true"
href="tel:%2B442033998806" value="+442033998806"
target="_blank">+442033998806</a> <sip:<a
moz-do-not-send="true" href="tel:%2B442033998806"
value="+442033998806" target="_blank">+442033998806</a>@orange.voip></p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_FROM=<a
moz-do-not-send="true" href="tel:%2B442033998833"
value="+442033998833" target="_blank">+442033998833</a>
<a class="moz-txt-link-rfc2396E" href="sip:T00157@orange.voip"><sip:T00157@orange.voip></a>;tag=5394SIPpTag001</p>
<p> 5(30147) DEBUG: exec [exec_hf.c:278]:
print_hf_var(): SIP_HF_VIA=SIP/2.0/UDP
198.51.100.2:5060;branch=z9hG4bK-5394-1-0</p>
<p> 5(30147) DEBUG: exec [exec_mod.c:175]:
w_exec_msg(): executing [/bin/true]</p>
</div>
<div>ls /tmp shows new created file !!!</div>
<div><br>
</div>
<div>I created simple patch to fix this issue in exec
module based on suggestion from RedHat until you fix
your bash what is recommended.</div>
<span class="HOEnZb"><font color="#888888">
<div><br>
</div>
-- <br>
Seudin Kasumovic<br>
<br>
</font></span></div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
MSC Seudin Kasumovic<br>
Tuzla, Bosnia
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a>
<a class="moz-txt-link-freetext" href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a>
Next Kamailio Advanced Trainings 2014 - <a class="moz-txt-link-freetext" href="http://www.asipto.com">http://www.asipto.com</a>
Sep 22-25, Berlin, Germany</pre>
</body>
</html>