New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Vuln] Potential arbitrary-memory-log in ds_is_in_list due to uninit varaible on stack #2780
Comments
|
BTW, will a GHSA/CVE be assigned to this issue? @liviuchircu |
Many thanks to @Cossack9989 for the report! Fixes #2780 (cherry picked from commit e2f13d3)
Many thanks to @Cossack9989 for the report! Fixes #2780 (cherry picked from commit e2f13d3)
|
Thank you for the report, @Cossack9989! I see this bug as a minor problem, as in the overwhelming majority of use-cases, |
|
Although For that reason, I think this issue is actually a vulnerability and deserves a GHSA/CVE(to remind anybody using dispatcher not to misuse |
|
What's more, if an incorrectly-formatted ip is passed to |
|
@Cossack9989 - ultimately, you are right. If a single user can be affected by the vulnerability, then it is real and we cannot leave anything to chance. I have opened up a security advisory on the bug and gave you access to it. So please do a full review of the security implications, as well as my own notes on the vulnerability and complete these with your own feedback. Once that is done, we will most likely release this advisory to the public along with the Security Audit update. |
|
@liviuchircu I think that the patch e2f13d374 works. Now you can release the sa to the public. |
|
I think a GHSA is more than enough, for this little bug. However, you have full permission to reserve, write and request an entire CVE ID and article with the same information I wrote in the advisory. |
|
When will the sa be released to the public? |
|
Hi, @Cossack9989! It's been a while, but the OpenSIPS Security Audit findings have just been fully disclosed -- more info on this blog. So I took the opportunity to also publish this Advisory and have also requested a CVE for it. Let's see how it goes! |
Sorry to issue this publicly, but when I mailed to security@opensips.org, googlemail told me that "Your message wasn't delivered to security@opensips.org because the address couldn't be found"
Detail
In
ds_is_in_list, the first variablevalhas no initialization before https://github.com/OpenSIPS/opensips/blob/master/modules/dispatcher/dispatch.c#L2327 ,and if variableipis not valid(str2ip(ip)==NULL && str2ip6(ip==NULL)), the function will accessval.rs.len, val.rs.sbyLM_ERR.For that reason, in some cases/samples, users are allowed to use "ds_is_in_list" cmd, then an attacker may be able to pollute the stack before calling
ds_is_in_listin order to control the uninitializedval.rs.sto arbitrary memory address andval.rs.lento arbitrary integer, resulting in content of arbitrary memory address to be logged (such as passwords/cookies/sessions/....).Suggestion
Initialize
valbefore accessingval.rsThe text was updated successfully, but these errors were encountered: