[UNIX] a2ps Executing Shell Commands From File Name

From: SecuriTeam (support_at_securiteam.com)
Date: 08/29/04

  • Next message: SecuriTeam: "[NT] Painkiller DoS and Limited Code Execution" 
    To: list@securiteam.com
Date: 29 Aug 2004 09:05:32 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      a2ps Executing Shell Commands From File Name
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.infres.enst.fr/~demaille/a2ps/> a2ps is "an Any to PostScript
    filter". a2ps can be made to execute shell commands from a given filename
    allowing an attacker to execute arbitrary commands.

    DETAILS

    Vulnerable Systems:
     * a2ps version 4.13, possibly prior, on all platforms supported with Bash
    or C-shell used by System()

    Immune Systems:
     * a2ps latest from CVS, FreeBSD only

    a2ps can execute shell commands from file names. Unless you use a2ps with
    wildcards from a world-writeable directory like /tmp, this issue doesn t
    pose a real impact on your system.

    How to reproduce:
    $ touch 'x`echo >&2 42`.c'
    $ a2ps -o /dev/null *.c
    42
    [x`echo >&2 42`.c (C): 0 pages on 0 sheets]
    [Total: 0 pages on 0 sheets] saved into the file `/dev/null'
    $ a2ps -V
    GNU a2ps 4.13
    Written by Akim Demaille, Miguel Santana.

    How it was found:
    $ touch 'LAN (div0)'
    $ a2ps -o /dev/null LAN*
    sh: -c: line 1: syntax error near unexpected token `('
    sh: -c: line 1: `/usr/bin/file -L LAN (div0)'
    [LAN (div0) (plain): 0 pages on 0 sheets]
    [Total: 0 pages on 0 sheets] saved into the file `/dev/null'

    Workaround
    Do not use wildcards in a2ps command lines except if you do that in a
    directory only you can create files in and where you know the contents.

    Patch Availability:
    A patch was written by Rudolf and was sent to the FreeBSD developers, the
    Debian a2ps maintainer and to GNU itself. However, the patch was only
    admitted into the CVS tree for a2ps by the FreeBSD team, making the
    FreeBSD version the only one with a fix.

    The patch can be found at
    <http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain> http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain.

    The patch itself might not work on Windows even though the problem exists
    if command.com is used a shell interpreter. The filename might be
    different though.

    For convenience, it is also copied here:
    --- src/select.c.orig Thu Dec 16 02:04:56 1999
    +++ src/select.c Sat Aug 21 12:05:31 2004
    @@ -131,6 +131,36 @@
       return 1;
     }
     
    +/* escapes the name of a file so that the shell groks it in 'single'
    q.marks.
    + The resulting pointer has to be free()ed when not longer used. */
    +char *
    +shell_escape(const char *fn)
    +{
    + size_t len = 0;
    + const char *inp;
    + char *retval, *outp;
    +
    + for(inp = fn; *inp; ++inp)
    + switch(*inp)
    + {
    + case '\'': len += 4; break;
    + default: len += 1; break;
    + }
    +
    + outp = retval = malloc(len + 1);
    + if(!outp)
    + return NULL; /* perhaps one should do better error handling here */
    + for(inp = fn; *inp; ++inp)
    + switch(*inp)
    + {
    + case '\'': *outp++ = '\''; *outp++ = '\\'; *outp++ = '\'', *outp++ =
    '\''; break;
    + default: *outp++ = *inp; break;
    + }
    + *outp = 0;
    +
    + return retval;
    +}
    +
     /* What says file about the type of a file (result is malloc'd). NULL
       if could not be run. */
     
    @@ -144,11 +174,15 @@
       if (IS_EMPTY (job->file_command))
         return NULL;
     
    + filename = shell_escape(filename);
    + if(filename == NULL)
    + return NULL;
       /* Call file(1) with the correct option */
    - command = ALLOCA (char, (2
    + command = ALLOCA (char, (4
           + strlen (job->file_command)
           + ustrlen (filename)));
    - sprintf (command, "%s %s", job->file_command, (const char *) filename);
    + sprintf (command, "%s '%s'", job->file_command, (const char *)
    filename);
    + free(filename);
       message (msg_tool, (stderr, "Reading pipe: `%s'\n", command));
       file_out = popen (command, "r");

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:divzero@gmail.com> Rudolf
    Polzer.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Painkiller DoS and Limited Code Execution"

    Relevant Pages