Date: Thu, 25 Feb 2016 10:53:29 +0000 From: John Haxby <john.haxby@...cle.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: bash-completion: dequote command injection On 24/02/16 21:58, Kurt Seifried wrote: > I think in this case it's pretty simply "dequoting should not result in > code execution" much like the various deserialization flaws (they should > deserialize the data, not execute random stuff). My immediate assumption was that an unprivileged user could leave something lying around that root could complete on. Within bash-completion, most of the uses of dequote are to find a config file so there'd be a degree of social engineering to persuade root to use a config file of your choice. The other main use seems to be in _parse_help() and _parse_usage() which parse gnu-style help and bsd-style usage respectively and that might not need as much social engineering to exploit. I didn't investigate further. Whether or not this turns out to be exploitable at all in bash-completion, I do agree with Kurt though. jch > > On Wed, Feb 24, 2016 at 2:56 PM, Fernando Muñoz <fernando@...l-life.com> > wrote: > >> Hello Eric, >> >> I never mentioned privilege escalation. >> >> This issue how ever could appear when a different application uses >> user input and calls "dequote" function that not only dequotes, but >> also executes it as a command. If mitre doesn't consider it CVE worth, >> that's OK! >> >> Regards. >> >> >> >> On Wed, Feb 24, 2016 at 3:58 PM, Eric Blake <eblake@...hat.com> wrote: >>> On 02/24/2016 12:08 PM, Fernando Muñoz wrote: >>>> Marcelo Echeverria and Fernando Muñoz discovered that the dequote >>>> function included in bash-completion allows to execute arbitrary >>>> commands since it uses the eval function to call printf and perform >>>> the actual dequoting. bash-completion is included on Debian, Ubuntu >>>> OpenSuse  and probably other distros. >>> >>> But what is the privilege escalation? This is no different than >>> incorrectly using 'eval' in a shell script - you may have buggy code, >>> and have an easy-to-trigger bug, but if you can't escalate privileges, >>> how it is a CVE? >>> >>> -- >>> Eric Blake eblake redhat com +1-919-301-3266 >>> Libvirt virtualization library http://libvirt.org >>> >> > > >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ