sorry, I attached wrong patch in previous post here is new with fixed body length comparison.
On Thu, Sep 25, 2014 at 4:40 PM, Seudin Kasumovic < seudin.kasumo...@gmail.com> wrote: > Hi kamailio users, > > we are witnesses of new discovered bug in bash: Bash Code Injection > Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) > https://access.redhat.com/node/1200223 > > As exec module exports all SIP headers in environment so it's was easy to > push bash command. > > There is attached simple kamailio test config file. > With sipp we sent header to output 123 into file /tmp/123 like this: > > User-Agent: () { :;}; echo 123 > /tmp/123 > > Debug output from kamailio is: > > 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): > SIP_HF_CONTENT_LENGTH=135 > > 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): > SIP_HF_CONTENT_TYPE=application/sdp > > 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): > SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, > INFO, PUBLISH > > * 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): > SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123* > > 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): > SIP_HF_SUBJECT=Performance Test > > 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): > SIP_HF_MAX_FORWARDS=70 > > 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTACT=< > sip:T00157@198.51.100.2:5060> > > 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CSEQ=1 INVITE > > 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CALLID= > 1-5394@198.51.100.2 > > 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_TO= > +442033998806 <sip:+442033998...@orange.voip> > > 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_FROM= > +442033998833 <sip:t00...@orange.voip>;tag=5394SIPpTag001 > > 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): > SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0 > > 5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing [/bin/true] > ls /tmp shows new created file !!! > > I created simple patch to fix this issue in exec module based on > suggestion from RedHat until you fix your bash what is recommended. > > -- > Seudin Kasumovic > > -- MSC Seudin Kasumovic Tuzla, Bosnia
diff --git a/modules/exec/exec_hf.c b/modules/exec/exec_hf.c index c83550f..96b990e 100644 --- a/modules/exec/exec_hf.c +++ b/modules/exec/exec_hf.c @@ -256,12 +256,22 @@ static int print_hf_var(struct hf_wrapper *w, int offset) memcpy(envvar, w->prefix, w->prefix_len); c=envvar+w->prefix_len; memcpy(c, hname, hlen ); c+=hlen; *c=EV_ASSIGN;c++; - memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len ); - c+=w->u.hf->body.len; + if (!strncmp(w->u.hf->body.s,"() {",MIN(w->u.hf->body.len,4))) { + memcpy(c, w->u.hf->body.s+offset+2, w->u.hf->body.len-2 ); + c+=(w->u.hf->body.len-2); + } else { + memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len ); + c+=w->u.hf->body.len; + } for (wi=w->next_same; wi; wi=wi->next_same) { *c=HF_SEPARATOR;c++; - memcpy(c, wi->u.hf->body.s+offset, wi->u.hf->body.len ); - c+=wi->u.hf->body.len; + if (!strncmp(w->u.hf->body.s,"() {",MIN(w->u.hf->body.len,4))) { + memcpy(c, w->u.hf->body.s+offset+2, w->u.hf->body.len-2 ); + c+=(w->u.hf->body.len-2); + } else { + memcpy(c, w->u.hf->body.s+offset, w->u.hf->body.len ); + c+=w->u.hf->body.len; + } } *c=0; /* zero termination */ LM_DBG("%s\n", envvar );
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users