Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 May 2016 21:01:43 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: ImageMagick Is On Fire -- CVE-2016-3714

On Tue, May 03, 2016 at 08:42:30PM -0500, Bob Friesenhahn wrote:
> >This appears to be executed via:
> >https://sourceforge.net/p/graphicsmagick/code/ci/default/tree/magick/delegate.c
> >which tries to escape arguments using UnixShellTextEscape(). This function
> >appears to replace \`"$ chars with backslash-escaped versions. I'm not
> >sure this is a safe mechanism either.
> 
> Please provide me with a working exploit.

Sorry, exploits aren't my strong suite.

Shells are crazy things though -- | & || && and ; make it easy to execute
additional commands. * ? {} and [] make it easy to turn "single" arguments
into many arguments or get forbidden characters from the filesystem into
the command line anyway. - can change behaviours of called programs. etc etc.

> Be aware that this quoting method is only used for the few delegates.mgk
> rules which require shell-like syntax to work. Otherwise the external
> program is run using execvp() without a shell.

Now this I love to hear. execve() makes me happy.

Thanks

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ