sorry, I attached wrong patch in previous post
here is new with fixed body length comparison.
On Thu, Sep 25, 2014 at 4:40 PM, Seudin Kasumovic <
seudin.kasumo...@gmail.com> wrote:
> Hi kamailio users,
>
> we are witnesses of new discovered bug in bash: Bash Code Injection
> Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
> https://access.redhat.com/node/1200223
>
> As exec module exports all SIP headers in environment so it's was easy to
> push bash command.
>
> There is attached simple kamailio test config file.
> With sipp we sent header to output 123 into file /tmp/123 like this:
>
> User-Agent: () { :;}; echo 123 > /tmp/123
>
> Debug output from kamailio is:
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CONTENT_LENGTH=135
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_CONTENT_TYPE=application/sdp
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
> INFO, PUBLISH
>
> * 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123*
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_SUBJECT=Performance Test
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_MAX_FORWARDS=70
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTACT=<
> sip:T00157@198.51.100.2:5060>
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CSEQ=1 INVITE
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CALLID=
> 1-5394@198.51.100.2
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_TO=
> +442033998806 <sip:+442033998...@orange.voip>
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_FROM=
> +442033998833 <sip:t00...@orange.voip>;tag=5394SIPpTag001
>
> 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
> SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0
>
> 5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing [/bin/true]
> ls /tmp shows new created file !!!
>
> I created simple patch to fix this issue in exec module based on
> suggestion from RedHat until you fix your bash what is recommended.
>
> --
> Seudin Kasumovic
>
>
--
MSC Seudin Kasumovic
Tuzla, Bosnia
diff --git a/modules/exec/exec_hf.c b/modules/exec/exec_hf.c
index c83550f..96b990e 100644
--- a/modules/exec/exec_hf.c
+++ b/modules/exec/exec_hf.c
@@ -256,12 +256,22 @@ static int print_hf_var(struct hf_wrapper *w, int offset)
memcpy(envvar, w->prefix, w->prefix_len); c=envvar+w->prefix_len;
memcpy(c, hname, hlen ); c+=hlen;
*c=EV_ASSIGN;c++;
- memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
- c+=w->u.hf->body.len;
+ if (!strncmp(w->u.hf->body.s,"() {",MIN(w->u.hf->body.len,4))) {
+ memcpy(c, w->u.hf->body.s+offset+2, w->u.hf->body.len-2 );
+ c+=(w->u.hf->body.len-2);
+ } else {
+ memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
+ c+=w->u.hf->body.len;
+ }
for (wi=w->next_same; wi; wi=wi->next_same) {
*c=HF_SEPARATOR;c++;
- memcpy(c, wi->u.hf->body.s+offset, wi->u.hf->body.len );
- c+=wi->u.hf->body.len;
+ if (!strncmp(w->u.hf->body.s,"() {",MIN(w->u.hf->body.len,4))) {
+ memcpy(c, w->u.hf->body.s+offset+2, w->u.hf->body.len-2
);
+ c+=(w->u.hf->body.len-2);
+ } else {
+ memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len );
+ c+=w->u.hf->body.len;
+ }
}
*c=0; /* zero termination */
LM_DBG("%s\n", envvar );
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
