From owner-freebsd-ports-bugs@FreeBSD.ORG Sat Dec 27 21:00:16 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE7FD1065676 for ; Sat, 27 Dec 2008 21:00:16 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9569B8FC0C; Sat, 27 Dec 2008 21:00:16 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mBRL0G2K091521; Sat, 27 Dec 2008 21:00:16 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mBRL0FXA091484; Sat, 27 Dec 2008 21:00:15 GMT (envelope-from gnats) Resent-Date: Sat, 27 Dec 2008 21:00:15 GMT Resent-Message-Id: <200812272100.mBRL0FXA091484@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: skylord@vt.net.ru Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 237A0106564A for ; Sat, 27 Dec 2008 20:56:40 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id A08E18FC12 for ; Sat, 27 Dec 2008 20:56:39 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from phoenix.codelabs.ru (ppp85-141-65-28.pppoe.mtu-net.ru [85.141.65.28]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1LGgD8-000AbK-LU for FreeBSD-gnats-submit@freebsd.org; Sat, 27 Dec 2008 23:56:38 +0300 Message-Id: <20081227205637.A0237B8019@phoenix.codelabs.ru> Date: Sat, 27 Dec 2008 23:56:37 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: skylord@vt.net.ru Cc: Subject: ports/129981: [vuxml] [patch] net-p2p/verlihub: document and fix CVE-2008-5706 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Dec 2008 21:00:16 -0000 >Number: 129981 >Category: ports >Synopsis: [vuxml] [patch] net-p2p/verlihub: document and fix CVE-2008-5706 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Dec 27 21:00:15 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: Remote command execution and insecure temporary file usage was discovered in the verlihub peer-to-peer software. >How-To-Repeat: http://milw0rm.com/exploits/7183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5706 >Fix: The following patch should fix the issue: --- net-p2p-verlihub-fix-CVE-2008-5706.diff begins here --- >From 2b909689e519036965dde9184ab7faa93c53d67b Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Sat, 27 Dec 2008 23:33:49 +0300 Fix insecure temporary file usage and possible arbitrary command execution in verlihub. Based on the advisory from v4lkyrius@gmail.com, http://milw0rm.com/exploits/7183 but I redone almost everything, because original patch was incorrectly using results of std::string.c_str() and was stripping special characters from the whole command. We should sanitize only user's input; configuration file directives should be passed "as-is". Signed-off-by: Eygene Ryabinkin --- net-p2p/verlihub/Makefile | 2 +- net-p2p/verlihub/files/patch-CVE-2008-5706 | 82 ++++++++++++++++++++++++++++ 2 files changed, 83 insertions(+), 1 deletions(-) create mode 100644 net-p2p/verlihub/files/patch-CVE-2008-5706 diff --git a/net-p2p/verlihub/Makefile b/net-p2p/verlihub/Makefile index 8ef0f5b..d6e86ad 100644 --- a/net-p2p/verlihub/Makefile +++ b/net-p2p/verlihub/Makefile @@ -7,7 +7,7 @@ PORTNAME= verlihub DISTVERSION= 0.9.8d-RC2 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= net-p2p MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} diff --git a/net-p2p/verlihub/files/patch-CVE-2008-5706 b/net-p2p/verlihub/files/patch-CVE-2008-5706 new file mode 100644 index 0000000..61dc4ca --- /dev/null +++ b/net-p2p/verlihub/files/patch-CVE-2008-5706 @@ -0,0 +1,82 @@ +--- src/ctrigger.cpp.orig 2005-04-11 19:18:38.000000000 +0400 ++++ src/ctrigger.cpp 2008-12-27 23:28:14.000000000 +0300 +@@ -7,6 +7,9 @@ + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + ***************************************************************************/ ++#include ++#include ++#include + #include "cserverdc.h" + #include "ctrigger.h" + #include "cconndc.h" +@@ -44,16 +47,33 @@ + { + string buf, filename, sender; + string par1, end1, parall; ++ string cmdl; ++ + if (conn && conn->mpUser) + { ++ cmd_line >> cmdl; ++ /* Sanitise user input if we're going to exec anything */ ++ if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) { ++ string cleaned = string(); ++ const string toclean = string(";\"'\\`:!${}[]&><|~/"); ++ ++ for (string::iterator i = cmdl.begin(); ++ i < cmdl.end(); ++ i++) { ++ if (toclean.find(*i) == string::npos) ++ cleaned.append(1, *i); ++ } ++ cmdl = cleaned; ++ } ++ + int uclass = conn->mpUser->mClass; + if ((uclass >= this->mMinClass) &&(uclass <= this->mMaxClass)) { + +- if(cmd_line.str().size() > mCommand.size()) { +- parall.assign(cmd_line.str(),mCommand.size()+1,string::npos); ++ if(cmdl.size() > mCommand.size()) { ++ parall.assign(cmdl,mCommand.size()+1,string::npos); + } +- cmd_line >> par1; +- end1 = cmd_line.str(); ++ par1 = cmdl; ++ end1 = cmdl; + + sender = server.mC.hub_security; + if (mSendAs.size()) sender = mSendAs; +@@ -104,14 +124,25 @@ + + if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) { + string command(buf); +- filename = server.mConfigBaseDir; +- filename.append("/tmp/trigger.tmp"); +- command.append(" > "); +- command.append(filename); ++ char buffer[1024]; ++ FILE *stream; ++ + cout << command << endl; +- system(command.c_str()); + buf = ""; +- if (!LoadFileInString(filename,buf)) return 0; ++ stream = popen(command.c_str(), "r"); ++ if (stream == NULL) { ++ cout << strerror(errno) << std::endl; ++ return 0; ++ } else { ++ while (fgets(buffer, sizeof(buffer), ++ stream) != NULL) ++ buf.append(buffer); ++ if (pclose(stream) == -1) { ++ cout << strerror(errno) << ++ std::endl; ++ return 0; ++ } ++ } + } + + // @CHANGED by dReiska +BEGINS+ -- 1.6.0.5 --- net-p2p-verlihub-fix-CVE-2008-5706.diff ends here --- I had tested the basic compilability and checked patch sanity, but I was not able to test in for the real verlihub server. So, it will be great if maintainer will be able to do it. Cited advisory from MilW0rm should be the good guide for the tests. The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- verlihub -- insecure temporary file usage and arbitrary command execution verlihub 0.9.8.d.r2_2,1

Anonymous security researcher reports:

Verlihub does not sanitize user input passed to the shell via its "trigger" mechanism.

Entry for CVE-2008-5706 says:

The cTrigger::DoIt function in src/ctrigger.cpp in the trigger mechanism in the daemon in Verlihub 0.9.8d-RC2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the /tmp/trigger.tmp temporary file.

 CVE-2008-5706 http://milw0rm.com/exploits/7183 22-11-2008 TODAY --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: