Re: ctags(1) command execution vulnerability
From: Michael Hamburg (hamburg_at_fas.harvard.edu)
Date: 05/04/04
- Previous message: Peter Pentchev: "Re: ctags(1) command execution vulnerability"
- In reply to: Roman Bogorodskiy: "ctags(1) command execution vulnerability"
- Next in thread: Crist J. Clark: "Re: ctags(1) command execution vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 4 May 2004 02:44:05 -0400 To: freebsd-security@freebsd.org
While I don't think that's much of a vulnerability (you can only really
attack your own account), your patch doesn't fix it. You can still
executed code with:
ctags -u -f "'; echo hi '" *.c
To remove this "vulnerability," you'd have to either escape the string,
then quote it, or even better, do the system call with a vector. It
probably isn't worth the bother, but if you want to patch it, patch it
right...
Mike Hamburg
On May 4, 2004, at 1:49 AM, Roman Bogorodskiy wrote:
> Hello,
>
> ctags(1) uses external application sort(1) for sorting the tags file.
> It calls it via system(3) function.
>
> Look at the /usr/src/usr.bin/ctags/ctags.c file, there are such lines
> here:
>
> if (uflag) {
> (void)asprintf(&cmd, "sort -o %s %s",
> outfile, outfile);
> if (cmd == NULL)
> err(1, "out of space");
> system(cmd);
> free(cmd);
> cmd = NULL;
> }
>
> This code will be executed when "-u" arg was given. So, if we'll
> execute
> ctags in a such way:
>
> ctags -u -f ';echo hi' *.c
>
> we get the following:
>
> Syntax error: ";" unexpected
> sort: option requires an argument -- o
> Try `sort --help' for more information.
> hi
> hi
>
> We can put any command instead of 'echo hi' and it would be executed
> (for two times).
>
> I understand that ctags(1) is not a suid application and this
> vulnerability probably could not be exploited. Never the less, this is
> a
> bad behavior for any kind of program.
>
> Solution:
>
> --- usr.bin/ctags/ctags.c.orig Tue May 4 09:23:30 2004
> +++ usr.bin/ctags/ctags.c Tue May 4 09:25:48 2004
> @@ -166,7 +166,7 @@
> if (uflag) {
> for (step = 0; step < argc; step++) {
> (void)asprintf(&cmd,
> - "mv %s OTAGS; fgrep -v '\t%s\t' OTAGS >%s; rm OTAGS",
> + "mv '%s' OTAGS; fgrep -v '\t%s\t' OTAGS >'%s'; rm OTAGS",
> outfile, argv[step], outfile);
> if (cmd == NULL)
> err(1, "out of space");
> @@ -181,7 +181,7 @@
> put_entries(head);
> (void)fclose(outf);
> if (uflag) {
> - (void)asprintf(&cmd, "sort -o %s %s",
> + (void)asprintf(&cmd, "sort -o '%s' '%s'",
> outfile, outfile);
> if (cmd == NULL)
> err(1, "out of space");
>
>
> -Roman Bogorodskiy
>
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Peter Pentchev: "Re: ctags(1) command execution vulnerability"
- In reply to: Roman Bogorodskiy: "ctags(1) command execution vulnerability"
- Next in thread: Crist J. Clark: "Re: ctags(1) command execution vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
