[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 28 Dec 2008 00:02:51 +0300
From: Eygene Ryabinkin <rea-sec@...elabs.ru>
To: oss-security@...ts.openwall.com
Cc: atomo64+debian@...il.com
Subject: Re: CVE id request: verlihub
Steven, good day.
Wed, Dec 24, 2008 at 12:54:14PM -0500, Steven M. Christey wrote:
> ======================================================
> Name: CVE-2008-5706
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5706
> Reference: MILW0RM:7183
> Reference: URL:http://www.milw0rm.com/exploits/7183
> Reference: MLIST:[oss-security] 20081216 CVE id request: verlihub
> Reference: URL:http://openwall.com/lists/oss-security/2008/12/17/16
> Reference: MISC:http://bugs.debian.org/506530
>
> The cTrigger::DoIt function in src/ctrigger.cpp in the trigger
> mechanism in the daemon in Verlihub 0.9.8d-RC2 and earlier allows
> local users to overwrite arbitrary files via a symlink attack on the
> /tmp/trigger.tmp temporary file.
What about remote command execution via unsanitized user input? It
will work only if the server had executable triggers and 'allow_exec'
is set to 1. By the way, CVE-2008-5706 will be triggered ;)) only for
this case too.
If anyone is interested, I had reworked the original patch at MilW0rm.
Original patch was mangling results of std::string.c_str() and
sanitizing not only user-supplied part, but the whole command. The
result is attached and comments are very welcome.
--
Eygene
--- src/ctrigger.cpp.orig 2005-04-11 19:18:38.000000000 +0400
+++ src/ctrigger.cpp 2008-12-27 23:28:14.000000000 +0300
@@ -7,6 +7,9 @@
* the Free Software Foundation; either version 2 of the License, or *
* (at your option) any later version. *
***************************************************************************/
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
#include "cserverdc.h"
#include "ctrigger.h"
#include "cconndc.h"
@@ -44,16 +47,33 @@
{
string buf, filename, sender;
string par1, end1, parall;
+ string cmdl;
+
if (conn && conn->mpUser)
{
+ cmd_line >> cmdl;
+ /* Sanitise user input if we're going to exec anything */
+ if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) {
+ string cleaned = string();
+ const string toclean = string(";\"'\\`:!${}[]&><|~/");
+
+ for (string::iterator i = cmdl.begin();
+ i < cmdl.end();
+ i++) {
+ if (toclean.find(*i) == string::npos)
+ cleaned.append(1, *i);
+ }
+ cmdl = cleaned;
+ }
+
int uclass = conn->mpUser->mClass;
if ((uclass >= this->mMinClass) &&(uclass <= this->mMaxClass)) {
- if(cmd_line.str().size() > mCommand.size()) {
- parall.assign(cmd_line.str(),mCommand.size()+1,string::npos);
+ if(cmdl.size() > mCommand.size()) {
+ parall.assign(cmdl,mCommand.size()+1,string::npos);
}
- cmd_line >> par1;
- end1 = cmd_line.str();
+ par1 = cmdl;
+ end1 = cmdl;
sender = server.mC.hub_security;
if (mSendAs.size()) sender = mSendAs;
@@ -104,14 +124,25 @@
if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) {
string command(buf);
- filename = server.mConfigBaseDir;
- filename.append("/tmp/trigger.tmp");
- command.append(" > ");
- command.append(filename);
+ char buffer[1024];
+ FILE *stream;
+
cout << command << endl;
- system(command.c_str());
buf = "";
- if (!LoadFileInString(filename,buf)) return 0;
+ stream = popen(command.c_str(), "r");
+ if (stream == NULL) {
+ cout << strerror(errno) << std::endl;
+ return 0;
+ } else {
+ while (fgets(buffer, sizeof(buffer),
+ stream) != NULL)
+ buf.append(buffer);
+ if (pclose(stream) == -1) {
+ cout << strerror(errno) <<
+ std::endl;
+ return 0;
+ }
+ }
}
// @CHANGED by dReiska +BEGINS+
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ
