Date: Sat, 27 Dec 2008 23:56:37 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/129981: [vuxml] [patch] net-p2p/verlihub: document and fix CVE-2008-5706 Message-ID: <20081227205637.A0237B8019@phoenix.codelabs.ru> Resent-Message-ID: <200812272100.mBRL0FXA091484@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129981 >Category: ports >Synopsis: [vuxml] [patch] net-p2p/verlihub: document and fix CVE-2008-5706 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Dec 27 21:00:15 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: Remote command execution and insecure temporary file usage was discovered in the verlihub peer-to-peer software. >How-To-Repeat: http://milw0rm.com/exploits/7183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5706 >Fix: The following patch should fix the issue: --- net-p2p-verlihub-fix-CVE-2008-5706.diff begins here --- >From 2b909689e519036965dde9184ab7faa93c53d67b Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Sat, 27 Dec 2008 23:33:49 +0300 Fix insecure temporary file usage and possible arbitrary command execution in verlihub. Based on the advisory from v4lkyrius@gmail.com, http://milw0rm.com/exploits/7183 but I redone almost everything, because original patch was incorrectly using results of std::string.c_str() and was stripping special characters from the whole command. We should sanitize only user's input; configuration file directives should be passed "as-is". Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- net-p2p/verlihub/Makefile | 2 +- net-p2p/verlihub/files/patch-CVE-2008-5706 | 82 ++++++++++++++++++++++++++++ 2 files changed, 83 insertions(+), 1 deletions(-) create mode 100644 net-p2p/verlihub/files/patch-CVE-2008-5706 diff --git a/net-p2p/verlihub/Makefile b/net-p2p/verlihub/Makefile index 8ef0f5b..d6e86ad 100644 --- a/net-p2p/verlihub/Makefile +++ b/net-p2p/verlihub/Makefile @@ -7,7 +7,7 @@ PORTNAME= verlihub DISTVERSION= 0.9.8d-RC2 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= net-p2p MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} diff --git a/net-p2p/verlihub/files/patch-CVE-2008-5706 b/net-p2p/verlihub/files/patch-CVE-2008-5706 new file mode 100644 index 0000000..61dc4ca --- /dev/null +++ b/net-p2p/verlihub/files/patch-CVE-2008-5706 @@ -0,0 +1,82 @@ +--- src/ctrigger.cpp.orig 2005-04-11 19:18:38.000000000 +0400 ++++ src/ctrigger.cpp 2008-12-27 23:28:14.000000000 +0300 +@@ -7,6 +7,9 @@ + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + ***************************************************************************/ ++#include <errno.h> ++#include <stdio.h> ++#include <string.h> + #include "cserverdc.h" + #include "ctrigger.h" + #include "cconndc.h" +@@ -44,16 +47,33 @@ + { + string buf, filename, sender; + string par1, end1, parall; ++ string cmdl; ++ + if (conn && conn->mpUser) + { ++ cmd_line >> cmdl; ++ /* Sanitise user input if we're going to exec anything */ ++ if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) { ++ string cleaned = string(); ++ const string toclean = string(";\"'\\`:!${}[]&><|~/"); ++ ++ for (string::iterator i = cmdl.begin(); ++ i < cmdl.end(); ++ i++) { ++ if (toclean.find(*i) == string::npos) ++ cleaned.append(1, *i); ++ } ++ cmdl = cleaned; ++ } ++ + int uclass = conn->mpUser->mClass; + if ((uclass >= this->mMinClass) &&(uclass <= this->mMaxClass)) { + +- if(cmd_line.str().size() > mCommand.size()) { +- parall.assign(cmd_line.str(),mCommand.size()+1,string::npos); ++ if(cmdl.size() > mCommand.size()) { ++ parall.assign(cmdl,mCommand.size()+1,string::npos); + } +- cmd_line >> par1; +- end1 = cmd_line.str(); ++ par1 = cmdl; ++ end1 = cmdl; + + sender = server.mC.hub_security; + if (mSendAs.size()) sender = mSendAs; +@@ -104,14 +124,25 @@ + + if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) { + string command(buf); +- filename = server.mConfigBaseDir; +- filename.append("/tmp/trigger.tmp"); +- command.append(" > "); +- command.append(filename); ++ char buffer[1024]; ++ FILE *stream; ++ + cout << command << endl; +- system(command.c_str()); + buf = ""; +- if (!LoadFileInString(filename,buf)) return 0; ++ stream = popen(command.c_str(), "r"); ++ if (stream == NULL) { ++ cout << strerror(errno) << std::endl; ++ return 0; ++ } else { ++ while (fgets(buffer, sizeof(buffer), ++ stream) != NULL) ++ buf.append(buffer); ++ if (pclose(stream) == -1) { ++ cout << strerror(errno) << ++ std::endl; ++ return 0; ++ } ++ } + } + + // @CHANGED by dReiska +BEGINS+ -- 1.6.0.5 --- net-p2p-verlihub-fix-CVE-2008-5706.diff ends here --- I had tested the basic compilability and checked patch sanity, but I was not able to test in for the real verlihub server. So, it will be great if maintainer will be able to do it. Cited advisory from MilW0rm should be the good guide for the tests. The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="4b2c603e-d456-11dd-84ec-001fc66e7203"> <topic>verlihub -- insecure temporary file usage and arbitrary command execution</topic> <affects> <package> <name>verlihub</name> <range><lt>0.9.8.d.r2_2,1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Anonymous security researcher reports:</p> <blockquote cite="http://milw0rm.com/exploits/7183">; <p>Verlihub does not sanitize user input passed to the shell via its "trigger" mechanism.</p> </blockquote> <p>Entry for CVE-2008-5706 says:</p> <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5706">; <p>The cTrigger::DoIt function in src/ctrigger.cpp in the trigger mechanism in the daemon in Verlihub 0.9.8d-RC2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the /tmp/trigger.tmp temporary file.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-5706</cvename> <url>http://milw0rm.com/exploits/7183</url>; </references> <dates> <discovery>22-11-2008</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081227205637.A0237B8019>