GNU bug report logs -
#59817
[PATCH] Fix etags local command injection vulnerability
Previous Next
Reported by: lux <lx <at> shellcodes.org>
Date: Sun, 4 Dec 2022 13:52:01 UTC
Severity: normal
Tags: patch
Done: Eli Zaretskii <eliz <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Tue, 06 Dec 2022 18:14:43 +0200
with message-id <83359s7bm4.fsf <at> gnu.org>
and subject line Re: bug#59817: [PATCH] Fix etags local command injection vulnerability
has caused the debbugs.gnu.org bug report #59817,
regarding [PATCH] Fix etags local command injection vulnerability
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
59817: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=59817
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
Hi, this patch fix a new local command injection vulnerability in the
etags.c.
This vulnerability occurs in the following code:
#if MSDOS || defined (DOS_NT)
char *cmd1 = concat (compr->command, " \"", real_name);
char *cmd = concat (cmd1, "\" > ", tmp_name);
#else
char *cmd1 = concat (compr->command, " '", real_name);
char *cmd = concat (cmd1, "' > ", tmp_name);
#endif
free (cmd1);
inf = (system (cmd) == -1
? NULL
: fopen (tmp_name, "r" FOPEN_BINARY));
free (cmd);
}
Vulnerability #1:
for tmp_name variable, the value from the etags_mktmp() function, this
function takes the value from the environment variable `TMPDIR`, `TEMP`
or `TMP`, but without checking the value. So, if then hacker can
control these environment variables, can execute the shell code.
Attack example:
$ ls
etags.c
$ zip etags.z etags.c
adding: etags.c (deflated 72%)
$ tmpdir="/tmp/;uname -a;/"
$ mkdir $tmpdir
$ TMPDIR=$tmpdir etags *
sh: line 1: /tmp/: Is a directory
Linux mypc 6.0.10-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Nov 26
16:55:13 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux sh: line 1: /etECggCJ:
No such file or directory etags: skipping inclusion of TAGS in self.
Vulnerability #2:
If the target file is a compressed file, execute system commands (such
as gzip, etc.), but do not check the file name.
Attack example:
$ ls
etags.c
$ zip "';uname -a;'test.z" etags.c <--- inject the shell code to
filename
adding: etags.c (deflated 72%)
$ etags *
gzip: .gz: No such file or directory
Linux mypc 6.0.10-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Nov 26
16:55:13 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux sh: line 1: test.z:
command not found
I fix this vulnerability. By create a process, instead of call the
sh or cmd.exe, and this patch work the Linux, BSD and Windows.
[0001-Fix-etags-local-command-injection-vulnerability.patch (text/x-patch, attachment)]
[Message part 5 (message/rfc822, inline)]
> Date: Tue, 6 Dec 2022 23:49:05 +0800
> From: lux <lx <at> shellcodes.org>
> Cc: stefankangas <at> gmail.com, 59817 <at> debbugs.gnu.org
>
> >From d1dd12396b7d99ff93e6a846c96ae600addac847 Mon Sep 17 00:00:00 2001
> From: lu4nx <lx <at> shellcodes.org>
> Date: Tue, 6 Dec 2022 15:42:40 +0800
> Subject: [PATCH] Fix etags local command injection vulnerability
>
> * lib-src/etags.c:
>
> (escape_shell_arg_string): New function.
Thanks, installed with some minor changes.
This bug report was last modified 2 years and 168 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.