Hi kamailio users,
we are witnesses of new discovered bug in bash: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) https://access.redhat.com/node/1200223
As exec module exports all SIP headers in environment so it's was easy to push bash command.
There is attached simple kamailio test config file. With sipp we sent header to output 123 into file /tmp/123 like this:
User-Agent: () { :;}; echo 123 > /tmp/123
Debug output from kamailio is:
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTENT_LENGTH=135
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTENT_TYPE=application/sdp
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
* 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123*
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_SUBJECT=Performance Test
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_MAX_FORWARDS=70
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTACT=< sip:T00157@198.51.100.2:5060>
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CSEQ=1 INVITE
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CALLID= 1-5394@198.51.100.2
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_TO=+442033998806 sip:+442033998806@orange.voip
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_FROM=+442033998833 sip:T00157@orange.voip;tag=5394SIPpTag001
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0
5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing [/bin/true] ls /tmp shows new created file !!!
I created simple patch to fix this issue in exec module based on suggestion from RedHat until you fix your bash what is recommended.
sorry, I attached wrong patch in previous post
here is new with fixed body length comparison.
On Thu, Sep 25, 2014 at 4:40 PM, Seudin Kasumovic < seudin.kasumovic@gmail.com> wrote:
Hi kamailio users,
we are witnesses of new discovered bug in bash: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) https://access.redhat.com/node/1200223
As exec module exports all SIP headers in environment so it's was easy to push bash command.
There is attached simple kamailio test config file. With sipp we sent header to output 123 into file /tmp/123 like this:
User-Agent: () { :;}; echo 123 > /tmp/123
Debug output from kamailio is:
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTENT_LENGTH=135
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTENT_TYPE=application/sdp
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
- 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123*
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_SUBJECT=Performance Test
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_MAX_FORWARDS=70
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTACT=< sip:T00157@198.51.100.2:5060>
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CSEQ=1 INVITE
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CALLID= 1-5394@198.51.100.2
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_TO= +442033998806 sip:+442033998806@orange.voip
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_FROM= +442033998833 sip:T00157@orange.voip;tag=5394SIPpTag001
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0
5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing [/bin/true] ls /tmp shows new created file !!!
I created simple patch to fix this issue in exec module based on suggestion from RedHat until you fix your bash what is recommended.
-- Seudin Kasumovic
OK, ignore my previous email then...
Thanks again, Daniel
On 25/09/14 16:51, Seudin Kasumovic wrote:
sorry, I attached wrong patch in previous post
here is new with fixed body length comparison.
On Thu, Sep 25, 2014 at 4:40 PM, Seudin Kasumovic <seudin.kasumovic@gmail.com mailto:seudin.kasumovic@gmail.com> wrote:
Hi kamailio users, we are witnesses of new discovered bug in bash: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) https://access.redhat.com/node/1200223 As exec module exports all SIP headers in environment so it's was easy to push bash command. There is attached simple kamailio test config file. With sipp we sent header to output 123 into file /tmp/123 like this: User-Agent: () { :;}; echo 123 > /tmp/123 Debug output from kamailio is: 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTENT_LENGTH=135 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTENT_TYPE=application/sdp 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH * 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123* 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_SUBJECT=Performance Test 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_MAX_FORWARDS=70 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTACT=<sip:T00157@198.51.100.2:5060 <http://sip:T00157@198.51.100.2:5060>> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CSEQ=1 INVITE 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CALLID=1-5394@198.51.100.2 <mailto:1-5394@198.51.100.2> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_TO=+442033998806 <tel:%2B442033998806> <sip:+442033998806 <tel:%2B442033998806>@orange.voip> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_FROM=+442033998833 <tel:%2B442033998833> <sip:T00157@orange.voip>;tag=5394SIPpTag001 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0 5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing [/bin/true] ls /tmp shows new created file !!! I created simple patch to fix this issue in exec module based on suggestion from RedHat until you fix your bash what is recommended. -- Seudin Kasumovic-- MSC Seudin Kasumovic Tuzla, Bosnia
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
You patch was pushed to master, 4.1 and 4.0 branches.
In addition, I pushed a patch with a new module parameter that could disable the escape of the sensitive header part, just in case would be needed by people who know what they do. Not documented in readme, as probably should be removed rather soon.
Cheers, Daniel
On 25/09/14 16:51, Seudin Kasumovic wrote:
sorry, I attached wrong patch in previous post
here is new with fixed body length comparison.
On Thu, Sep 25, 2014 at 4:40 PM, Seudin Kasumovic <seudin.kasumovic@gmail.com mailto:seudin.kasumovic@gmail.com> wrote:
Hi kamailio users, we are witnesses of new discovered bug in bash: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) https://access.redhat.com/node/1200223 As exec module exports all SIP headers in environment so it's was easy to push bash command. There is attached simple kamailio test config file. With sipp we sent header to output 123 into file /tmp/123 like this: User-Agent: () { :;}; echo 123 > /tmp/123 Debug output from kamailio is: 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTENT_LENGTH=135 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTENT_TYPE=application/sdp 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH * 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123* 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_SUBJECT=Performance Test 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_MAX_FORWARDS=70 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTACT=<sip:T00157@198.51.100.2:5060 <http://sip:T00157@198.51.100.2:5060>> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CSEQ=1 INVITE 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CALLID=1-5394@198.51.100.2 <mailto:1-5394@198.51.100.2> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_TO=+442033998806 <tel:%2B442033998806> <sip:+442033998806 <tel:%2B442033998806>@orange.voip> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_FROM=+442033998833 <tel:%2B442033998833> <sip:T00157@orange.voip>;tag=5394SIPpTag001 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0 5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing [/bin/true] ls /tmp shows new created file !!! I created simple patch to fix this issue in exec module based on suggestion from RedHat until you fix your bash what is recommended. -- Seudin Kasumovic-- MSC Seudin Kasumovic Tuzla, Bosnia
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hi Seudin,
thanks for heads up for vulnerabilities out there affecting us and the patch!
One comment regarding the patch, I see this comparison:
if (!strncmp(w->u.hf->body.s,"() {",MIN(w->u.hf->body.len,2))) {
and I see as being compared of size 4 string. Missing something?
Cheers, Daniel
On 25/09/14 16:40, Seudin Kasumovic wrote:
Hi kamailio users,
we are witnesses of new discovered bug in bash: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) https://access.redhat.com/node/1200223
As exec module exports all SIP headers in environment so it's was easy to push bash command.
There is attached simple kamailio test config file. With sipp we sent header to output 123 into file /tmp/123 like this:
User-Agent: () { :;}; echo 123 > /tmp/123
Debug output from kamailio is:
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTENT_LENGTH=135
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTENT_TYPE=application/sdp
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
- 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123*
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_SUBJECT=Performance Test
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_MAX_FORWARDS=70
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTACT=<sip:T00157@198.51.100.2:5060 http://sip:T00157@198.51.100.2:5060>
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CSEQ=1 INVITE
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CALLID=1-5394@198.51.100.2 mailto:1-5394@198.51.100.2
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_TO=+442033998806 sip:+442033998806@orange.voip
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_FROM=+442033998833 sip:T00157@orange.voip;tag=5394SIPpTag001
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0
5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing [/bin/true]
ls /tmp shows new created file !!!
I created simple patch to fix this issue in exec module based on suggestion from RedHat until you fix your bash what is recommended.
-- Seudin Kasumovic
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Daniel-Constantin Mierla -
Seudin Kasumovic