Date: Wed, 16 Jul 2014 16:52:10 +0200 From: Tomas Hoger <thoger@...hat.com> To: cve-assign@...re.org Cc: gmollett@...hat.com, oss-security@...ts.openwall.com, kseifried@...hat.com Subject: Re: Re: CVE request - Snoopy incomplete fix for CVE-2008-4796 On Wed, 16 Jul 2014 01:57:27 -0400 (EDT) cve-assign@...re.org wrote: > The information that has been sent so far doesn't determine whether > there should be one CVE ID or two CVE IDs. A statement of "does still > allow command injection" would potentially mean two CVE IDs, whereas > "may still allow command injection" could end up as "does not still > allow command injection." The fix applied in Snoopy rev 1.28 was insufficient / incomplete and it did allow command execution. There should be 2 CVEs, afaics. It seems there actually is a longer list of incomplete fixes for this issue. 2002 http://sourceforge.net/p/snoopy/bugs/13/ It seems this allowed the most simple injections: https://example.com;id https://example.com/foo.html;id Fixed in 2004 via: http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log#rev1.11 This strips double quotes and adds quotes around URI argument. 2005 http://marc.info/?l=full-disclosure&m=113027008504631&w=3 SEC-Consult SA 20051025-0 CVE-2005-3330 This was via curl -H argument value, required use of double quote to escape double quotes quoting of header argument, and required command in the host part of the url: https://example.com";id Fixed in a similar way the previous one was addressed: http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log#rev1.20 2008 (I guess this is the initial report) http://archives.neohapsis.com/archives/bugtraq/2008-09/0078.html CVE-2008-4796 The version of the _httpsrequest quoted there does not use $safer_URI and hence seems to pre-date the fix from 2004, so it might be the same issue as the 2002/2004 one. However, the use of backtick in the example exploit should have made it work on Snoopy versions with the above two fixes. https://example.com`id` https://example.com/foo.html`id` Fixed using escapeshellcmd(): http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log#rev1.25 Followed by a similar fix for headers few days later, which probably was not picked up by folks backporting the above commit as the fix for this CVE: http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log#rev1.27 2014 http://mstrokin.com/sec/feed2js-magpierss-0day-vulnerability-not-really-it-is-actually-cve-2005-3330-cve-2008-4796/ The above blog post shows how to inject additional command line arguments for curl and what can be achieved with that. Fixed using escapeshellarg(): http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log#rev1.28 So this should be new 2014 CVE-1. The above commit reverts rev 1.27 change (I don't dare to guess if that was intentional or not), and hence for the header / -H case, it changed curl command line argument injection into direct arbitrary code injection using backticks as noted for the 2008 issue above. If you need public reference, there's: https://github.com/cogdog/feed2js/pull/12#issuecomment-48283706 or UPD3 update near the end of the mstrokin's blog post. I believe this is should get different 2014 CVE-2, because there was upstream version that was believed to have all issues fixed. Rather than fixing escaping of header arguments, Snoopy upstream removed curl code and made Snoopy open SSL connection to https server directly. That was done in rev 1.29, that was further corrected in subsequent commits. -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.