看板 FB_security 關於我們 聯絡資訊
發信人hamburg@fas.harvard.edu (Michael Hamburg),
看板FB_security
標 題Re: ctags(1) command execution vulnerability
發信站NCTU CSIE FreeBSD Server (Tue May 4 06:41:49 2004)
轉信站ptt!FreeBSD.csie.NCTU!not-for-mail
While I don't think that's much of a vulnerability (you can only really attack your own account), your patch doesn't fix it. You can still executed code with: ctags -u -f "'; echo hi '" *.c To remove this "vulnerability," you'd have to either escape the string, then quote it, or even better, do the system call with a vector. It probably isn't worth the bother, but if you want to patch it, patch it right... Mike Hamburg On May 4, 2004, at 1:49 AM, Roman Bogorodskiy wrote: > Hello, > > ctags(1) uses external application sort(1) for sorting the tags file. > It calls it via system(3) function. > > Look at the /usr/src/usr.bin/ctags/ctags.c file, there are such lines > here: > > if (uflag) { > (void)asprintf(&cmd, "sort -o %s %s", > outfile, outfile); > if (cmd == NULL) > err(1, "out of space"); > system(cmd); > free(cmd); > cmd = NULL; > } > > This code will be executed when "-u" arg was given. So, if we'll > execute > ctags in a such way: > > ctags -u -f ';echo hi' *.c > > we get the following: > > Syntax error: ";" unexpected > sort: option requires an argument -- o > Try `sort --help' for more information. > hi > hi > > We can put any command instead of 'echo hi' and it would be executed > (for two times). > > I understand that ctags(1) is not a suid application and this > vulnerability probably could not be exploited. Never the less, this is > a > bad behavior for any kind of program. > > Solution: > > --- usr.bin/ctags/ctags.c.orig Tue May 4 09:23:30 2004 > +++ usr.bin/ctags/ctags.c Tue May 4 09:25:48 2004 > @@ -166,7 +166,7 @@ > if (uflag) { > for (step = 0; step < argc; step++) { > (void)asprintf(&cmd, > - "mv %s OTAGS; fgrep -v '\t%s\t' OTAGS >%s; rm OTAGS", > + "mv '%s' OTAGS; fgrep -v '\t%s\t' OTAGS >'%s'; rm OTAGS", > outfile, argv[step], outfile); > if (cmd == NULL) > err(1, "out of space"); > @@ -181,7 +181,7 @@ > put_entries(head); > (void)fclose(outf); > if (uflag) { > - (void)asprintf(&cmd, "sort -o %s %s", > + (void)asprintf(&cmd, "sort -o '%s' '%s'", > outfile, outfile); > if (cmd == NULL) > err(1, "out of space"); > > > -Roman Bogorodskiy > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"