You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For some research I'm doing, I'm looking to get smqueue to call my script with each text I send from the test network. I skimmed through the source code and found the SMS.HTTPGateway.URL option and created an HTTP server to receive the requests.
I got it working, but I noticed that the incoming text message is not properly escaped, leading to a command injection vulnerability. With this configuration option enabled, and set to http://localhost:1337/%s/%s, I was able to reboot my machine running OpenBTS by sending a text message to a number that doesn't even exist.
I'm not reporting this as a security bug because it's an undocumented feature, and I know I wouldn't be amused if someone reported a security bug to me in a feature I didn't even document :) However, if someone deployed this configuration, it would lead to remote code execution (as the user running smqueue, which is usually root I think), so it should probably be fixed.
If you have trouble replicating this or have any questions, feel free to contact me.
Best,
Zack
The text was updated successfully, but these errors were encountered:
Hi,
For some research I'm doing, I'm looking to get smqueue to call my script with each text I send from the test network. I skimmed through the source code and found the
SMS.HTTPGateway.URLoption and created an HTTP server to receive the requests.I got it working, but I noticed that the incoming text message is not properly escaped, leading to a command injection vulnerability. With this configuration option enabled, and set to
http://localhost:1337/%s/%s, I was able to reboot my machine running OpenBTS by sending a text message to a number that doesn't even exist.I'm not reporting this as a security bug because it's an undocumented feature, and I know I wouldn't be amused if someone reported a security bug to me in a feature I didn't even document :) However, if someone deployed this configuration, it would lead to remote code execution (as the user running smqueue, which is usually root I think), so it should probably be fixed.
If you have trouble replicating this or have any questions, feel free to contact me.
Best,
Zack
The text was updated successfully, but these errors were encountered: