Module: kamailio Branch: 5.6 Commit: ee7d314422003fc6edfbc364015499e38e18ae62 URL: https://github.com/kamailio/kamailio/commit/ee7d314422003fc6edfbc364015499e3...
Author: Sandro Gauci sandro@enablesecurity.com Committer: Daniel-Constantin Mierla miconda@gmail.com Date: 2023-02-24T13:50:24+01:00
exec: docs - added security warning
- Added warning about potential for OS Command Injection - Updated invalid examples
previous example gives the following error: pv_parse_spec2(): error searching pvar "rU.txt"
(cherry picked from commit f81f0e77c5ab67431af1f62f0e027379a3445951)
---
Modified: src/modules/exec/doc/exec_admin.xml
---
Diff: https://github.com/kamailio/kamailio/commit/ee7d314422003fc6edfbc364015499e3... Patch: https://github.com/kamailio/kamailio/commit/ee7d314422003fc6edfbc364015499e3...
---
diff --git a/src/modules/exec/doc/exec_admin.xml b/src/modules/exec/doc/exec_admin.xml index 12249d5104a..9dee3522d66 100644 --- a/src/modules/exec/doc/exec_admin.xml +++ b/src/modules/exec/doc/exec_admin.xml @@ -77,6 +77,23 @@ Otherwise they will be evaluated as &kamailio; pseudo-variables, throwing errors. </para> + <para> + WARNING: if the exec functions are passed variables that might include + malicious input, then remote attackers may abuse the exec functions to + execute arbitrary code. Specifically, this may result in OS command injection. + In such cases, input validation is required to prevent the vulnerability. + The following is an example of how input validation and exec module + functions may be used together to prevent exploitation: + </para> + <programlisting format="linespecific"> +... +if !($rU =~ "^[0-9]{1,15}$") { + xlog("Malformed R-URI username: '$rU'\n"); + exit; +} +exec_msg("echo TEST >> /tmp/$(rU).txt"); +... + </programlisting> </section>
<section> @@ -186,7 +203,7 @@ modparam("exec", "time_to_kill", 20) <programlisting format="linespecific"> ... exec_dset("echo TEST > /tmp/test.txt"); -exec_dset("echo TEST > /tmp/$rU.txt"); +exec_dset("echo TEST > /tmp/$(rU).txt"); ... </programlisting> </example> @@ -225,7 +242,7 @@ exec_dset("echo TEST > /tmp/$rU.txt"); <programlisting format="linespecific"> ... exec_msg("echo TEST > /tmp/test.txt"); -exec_msg("echo TEST > /tmp/$rU.txt"); +exec_msg("echo TEST > /tmp/$(rU).txt"); ... </programlisting> </example> @@ -300,7 +317,7 @@ exec_avp("echo TEST", "$avp(s:test)"); <programlisting format="linespecific"> ... exec_cmd("echo TEST > /tmp/test.txt"); -exec_cmd("echo TEST > /tmp/$rU.txt"); +exec_cmd("echo TEST > /tmp/$(rU).txt"); ... </programlisting> </example> @@ -315,4 +332,3 @@ exec_cmd("echo TEST > /tmp/$rU.txt"); </para> </section> </chapter> -
-
Daniel-Constantin Mierla