ctags(1) command execution vulnerability

From: Roman Bogorodskiy (bogorodskiy_at_inbox.ru)
Date: 05/04/04

  • Next message: Peter Pentchev: "Re: ctags(1) command execution vulnerability"
    Date: Tue, 4 May 2004 09:49:09 +0400
    To: freebsd-security@freebsd.org
    "From: Roman Bogordskiy <bogorodskiy@inbox.ru>"
    
    
    

    Hello,

            ctags(1) uses external application sort(1) for sorting the tags file.
    It calls it via system(3) function.

    Look at the /usr/src/usr.bin/ctags/ctags.c file, there are such lines
    here:

    if (uflag) {
            (void)asprintf(&cmd, "sort -o %s %s",
                outfile, outfile);
            if (cmd == NULL)
                    err(1, "out of space");
            system(cmd);
            free(cmd);
            cmd = NULL;
    }

    This code will be executed when "-u" arg was given. So, if we'll execute
    ctags in a such way:

    ctags -u -f ';echo hi' *.c

    we get the following:

    Syntax error: ";" unexpected
    sort: option requires an argument -- o
    Try `sort --help' for more information.
    hi
    hi

    We can put any command instead of 'echo hi' and it would be executed
    (for two times).

    I understand that ctags(1) is not a suid application and this
    vulnerability probably could not be exploited. Never the less, this is a
    bad behavior for any kind of program.

    Solution:

    --- usr.bin/ctags/ctags.c.orig Tue May 4 09:23:30 2004
    +++ usr.bin/ctags/ctags.c Tue May 4 09:25:48 2004
    @@ -166,7 +166,7 @@
                             if (uflag) {
                                     for (step = 0; step < argc; step++) {
                                             (void)asprintf(&cmd,
    - "mv %s OTAGS; fgrep -v '\t%s\t' OTAGS >%s; rm OTAGS",
    + "mv '%s' OTAGS; fgrep -v '\t%s\t' OTAGS >'%s'; rm OTAGS",
                                                 outfile, argv[step], outfile);
                                             if (cmd == NULL)
                                                     err(1, "out of space");
    @@ -181,7 +181,7 @@
                             put_entries(head);
                             (void)fclose(outf);
                             if (uflag) {
    - (void)asprintf(&cmd, "sort -o %s %s",
    + (void)asprintf(&cmd, "sort -o '%s' '%s'",
                                         outfile, outfile);
                                     if (cmd == NULL)
                                             err(1, "out of space");

    -Roman Bogorodskiy

    
    



  • Next message: Peter Pentchev: "Re: ctags(1) command execution vulnerability"

    Relevant Pages

    • Re: Alarming LACK of security in OS X
      ... When clicking on the application attachment, I got some sort of "This ... security, and only an idiot would do this"... ... seen Windows mail clients and mail servers tend to make it a real pain ... without at least modifying the file name so that it can't execute. ...
      (comp.sys.mac.advocacy)
    • Re: word document just keeps loading...
      ... Is it possible that the old file may contain some sort of macro that's ... trying to execute on open? ... > "uncorrupt" the document and allow it to open in Word 2004. ...
      (microsoft.public.mac.office.word)
    • Re: Which sentence is correct in grammar?
      ... Hospital (Surrey) calls the ground floor "Level 3". ... reflects some sort of administrative convenience, ... What good is being an executive if you never get to execute anyone? ...
      (alt.usage.english)
    • Re: DataSourceControl with multiple views and data binding order
      ... the hack to simply re-run the search with the sort didn't work. ... code to actually execute the search up in the the DataSourceControl. ... I've made the view that does get the sort string to simply ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: [PATCH] x86 (Linux Tiny): configure out support for some processors
      ... have some sort of registration list ... because this has to be executed after the early generic code ... generalized mechanism for this. ... be able to execute each function in sequence. ...
      (Linux-Kernel)