Discussion:
[SR-Users] Bash Code Injection and 'exec' module
Seudin Kasumovic
2014-09-25 14:40:56 UTC
Permalink
Hi kamailio users,

we are witnesses of new discovered bug in bash: Bash Code Injection
Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
https://access.redhat.com/node/1200223

As exec module exports all SIP headers in environment so it's was easy to
push bash command.

There is attached simple kamailio test config file.
With sipp we sent header to output 123 into file /tmp/123 like this:

User-Agent: () { :;}; echo 123 > /tmp/123

Debug output from kamailio is:

5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_CONTENT_LENGTH=135

5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_CONTENT_TYPE=application/sdp

5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_ALLOW=INVITE,
ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

* 5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123*

5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_SUBJECT=Performance Test

5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_MAX_FORWARDS=70

5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTACT=<
sip:T00157-***@public.gmane.org:5060>

5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CSEQ=1 INVITE

5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CALLID=
1-5394-***@public.gmane.org

5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_TO=+442033998806 <sip:+442033998806-***@public.gmane.org>

5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_FROM=+442033998833 <sip:T00157-***@public.gmane.org>;tag=5394SIPpTag001

5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var():
SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0

5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing [/bin/true]
ls /tmp shows new created file !!!

I created simple patch to fix this issue in exec module based on suggestion
from RedHat until you fix your bash what is recommended.
--
Seudin Kasumovic
Seudin Kasumovic
2014-09-25 14:51:19 UTC
Permalink
sorry, I attached wrong patch in previous post

here is new with fixed body length comparison.

On Thu, Sep 25, 2014 at 4:40 PM, Seudin Kasumovic <
Post by Seudin Kasumovic
Hi kamailio users,
we are witnesses of new discovered bug in bash: Bash Code Injection
Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
https://access.redhat.com/node/1200223
As exec module exports all SIP headers in environment so it's was easy to
push bash command.
There is attached simple kamailio test config file.
User-Agent: () { :;}; echo 123 > /tmp/123
SIP_HF_CONTENT_LENGTH=135
SIP_HF_CONTENT_TYPE=application/sdp
SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
INFO, PUBLISH
SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123*
SIP_HF_SUBJECT=Performance Test
SIP_HF_MAX_FORWARDS=70
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CONTACT=<
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CSEQ=1 INVITE
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CALLID=
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_TO=
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_FROM=
SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0
5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing [/bin/true]
ls /tmp shows new created file !!!
I created simple patch to fix this issue in exec module based on
suggestion from RedHat until you fix your bash what is recommended.
--
Seudin Kasumovic
--
MSC Seudin Kasumovic
Tuzla, Bosnia
Daniel-Constantin Mierla
2014-09-25 14:53:18 UTC
Permalink
OK, ignore my previous email then...

Thanks again,
Daniel
Post by Seudin Kasumovic
sorry, I attached wrong patch in previous post
here is new with fixed body length comparison.
On Thu, Sep 25, 2014 at 4:40 PM, Seudin Kasumovic
Hi kamailio users,
we are witnesses of new discovered bug in bash: Bash Code
Injection Vulnerability via Specially Crafted Environment
Variables (CVE-2014-6271) https://access.redhat.com/node/1200223
As exec module exports all SIP headers in environment so it's was
easy to push bash command.
There is attached simple kamailio test config file.
User-Agent: () { :;}; echo 123 > /tmp/123
SIP_HF_CONTENT_LENGTH=135
SIP_HF_CONTENT_TYPE=application/sdp
SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE,
NOTIFY, INFO, PUBLISH
SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123*
SIP_HF_SUBJECT=Performance Test
SIP_HF_MAX_FORWARDS=70
SIP_HF_CSEQ=1 INVITE
SIP_HF_TO=+442033998806 <tel:%2B442033998806> <sip:+442033998806
SIP_HF_FROM=+442033998833 <tel:%2B442033998833>
SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0
5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing [/bin/true]
ls /tmp shows new created file !!!
I created simple patch to fix this issue in exec module based on
suggestion from RedHat until you fix your bash what is recommended.
--
Seudin Kasumovic
--
MSC Seudin Kasumovic
Tuzla, Bosnia
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Next Kamailio Advanced Trainings 2014 - http://www.asipto.com
Sep 22-25, Berlin, Germany
Daniel-Constantin Mierla
2014-09-25 15:07:08 UTC
Permalink
You patch was pushed to master, 4.1 and 4.0 branches.

In addition, I pushed a patch with a new module parameter that could
disable the escape of the sensitive header part, just in case would be
needed by people who know what they do. Not documented in readme, as
probably should be removed rather soon.

Cheers,
Daniel
Post by Seudin Kasumovic
sorry, I attached wrong patch in previous post
here is new with fixed body length comparison.
On Thu, Sep 25, 2014 at 4:40 PM, Seudin Kasumovic
Hi kamailio users,
we are witnesses of new discovered bug in bash: Bash Code
Injection Vulnerability via Specially Crafted Environment
Variables (CVE-2014-6271) https://access.redhat.com/node/1200223
As exec module exports all SIP headers in environment so it's was
easy to push bash command.
There is attached simple kamailio test config file.
User-Agent: () { :;}; echo 123 > /tmp/123
SIP_HF_CONTENT_LENGTH=135
SIP_HF_CONTENT_TYPE=application/sdp
SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE,
NOTIFY, INFO, PUBLISH
SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123*
SIP_HF_SUBJECT=Performance Test
SIP_HF_MAX_FORWARDS=70
SIP_HF_CSEQ=1 INVITE
SIP_HF_TO=+442033998806 <tel:%2B442033998806> <sip:+442033998806
SIP_HF_FROM=+442033998833 <tel:%2B442033998833>
SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0
5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing [/bin/true]
ls /tmp shows new created file !!!
I created simple patch to fix this issue in exec module based on
suggestion from RedHat until you fix your bash what is recommended.
--
Seudin Kasumovic
--
MSC Seudin Kasumovic
Tuzla, Bosnia
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Next Kamailio Advanced Trainings 2014 - http://www.asipto.com
Sep 22-25, Berlin, Germany
Daniel-Constantin Mierla
2014-09-25 14:52:35 UTC
Permalink
Hi Seudin,

thanks for heads up for vulnerabilities out there affecting us and the
patch!

One comment regarding the patch, I see this comparison:

if (!strncmp(w->u.hf->body.s,"() {",MIN(w->u.hf->body.len,2))) {

and I see as being compared of size 4 string. Missing something?

Cheers,
Daniel
Post by Seudin Kasumovic
Hi kamailio users,
we are witnesses of new discovered bug in bash: Bash Code Injection
Vulnerability via Specially Crafted Environment Variables
(CVE-2014-6271) https://access.redhat.com/node/1200223
As exec module exports all SIP headers in environment so it's was easy
to push bash command.
There is attached simple kamailio test config file.
User-Agent: () { :;}; echo 123 > /tmp/123
SIP_HF_CONTENT_LENGTH=135
SIP_HF_CONTENT_TYPE=application/sdp
SIP_HF_ALLOW=INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE,
NOTIFY, INFO, PUBLISH
SIP_HF_USER_AGENT=() { :;}; echo 123 > /tmp/123*
SIP_HF_SUBJECT=Performance Test
SIP_HF_MAX_FORWARDS=70
5(30147) DEBUG: exec [exec_hf.c:278]: print_hf_var(): SIP_HF_CSEQ=1 INVITE
SIP_HF_VIA=SIP/2.0/UDP 198.51.100.2:5060;branch=z9hG4bK-5394-1-0
5(30147) DEBUG: exec [exec_mod.c:175]: w_exec_msg(): executing [/bin/true]
ls /tmp shows new created file !!!
I created simple patch to fix this issue in exec module based on
suggestion from RedHat until you fix your bash what is recommended.
--
Seudin Kasumovic
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Next Kamailio Advanced Trainings 2014 - http://www.asipto.com
Sep 22-25, Berlin, Germany
Loading...