GNU bug report logs - #59817
[PATCH] Fix etags local command injection vulnerability

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: lux <lx <at> shellcodes.org>
Subject: bug#59817: closed (Re: bug#59817: [PATCH] Fix etags local command
 injection vulnerability)
Date: Tue, 06 Dec 2022 16:16:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#59817: [PATCH] Fix etags local command injection vulnerability

which was filed against the emacs package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 59817 <at> debbugs.gnu.org.

-- 
59817: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=59817
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Eli Zaretskii <eliz <at> gnu.org>
To: lux <lx <at> shellcodes.org>
Cc: stefankangas <at> gmail.com, 59817-done <at> debbugs.gnu.org
Subject: Re: bug#59817: [PATCH] Fix etags local command injection vulnerability
Date: Tue, 06 Dec 2022 18:14:43 +0200

> Date: Tue, 6 Dec 2022 23:49:05 +0800
> From: lux <lx <at> shellcodes.org>
> Cc: stefankangas <at> gmail.com, 59817 <at> debbugs.gnu.org
> 
> >From d1dd12396b7d99ff93e6a846c96ae600addac847 Mon Sep 17 00:00:00 2001
> From: lu4nx <lx <at> shellcodes.org>
> Date: Tue, 6 Dec 2022 15:42:40 +0800
> Subject: [PATCH] Fix etags local command injection vulnerability
> 
> * lib-src/etags.c:
> 
> (escape_shell_arg_string): New function.

Thanks, installed with some minor changes.

[Message part 3 (message/rfc822, inline)]

From: lux <lx <at> shellcodes.org>
To: bug-gnu-emacs <at> gnu.org
Subject: [PATCH] Fix etags local command injection vulnerability
Date: Sun, 4 Dec 2022 21:51:13 +0800

[Message part 4 (text/plain, inline)]

Hi, this patch fix a new local command injection vulnerability in the
etags.c.

This vulnerability occurs in the following code:

	#if MSDOS || defined (DOS_NT)
		 char *cmd1 = concat (compr->command, " \"", real_name);
		 char *cmd = concat (cmd1, "\" > ", tmp_name);
	#else
		 char *cmd1 = concat (compr->command, " '", real_name);
		 char *cmd = concat (cmd1, "' > ", tmp_name);
	#endif
		 free (cmd1);
		 inf = (system (cmd) == -1
		        ? NULL
		        : fopen (tmp_name, "r" FOPEN_BINARY));
		 free (cmd);
	       }

Vulnerability #1:

for tmp_name variable, the value from the etags_mktmp() function, this
function takes the value from the environment variable `TMPDIR`, `TEMP`
or `TMP`, but without checking the value. So, if then hacker can
control these environment variables, can execute the shell code.

Attack example:

$ ls
etags.c
$ zip etags.z etags.c
  adding: etags.c (deflated 72%)
$ tmpdir="/tmp/;uname -a;/"
$ mkdir $tmpdir
$ TMPDIR=$tmpdir etags *
sh: line 1: /tmp/: Is a directory
Linux mypc 6.0.10-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Nov 26
16:55:13 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux sh: line 1: /etECggCJ:
No such file or directory etags: skipping inclusion of TAGS in self.

Vulnerability #2:

If the target file is a compressed file, execute system commands (such
as gzip, etc.), but do not check the file name. 

Attack example:

$ ls
etags.c
$ zip "';uname -a;'test.z" etags.c  <--- inject the shell code to
filename
adding: etags.c (deflated 72%)
$ etags *
gzip: .gz: No such file or directory
Linux mypc 6.0.10-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Nov 26
16:55:13 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux sh: line 1: test.z:
command not found

I fix this vulnerability. By create a process, instead of call the
sh or cmd.exe, and this patch work the Linux, BSD and Windows.

[0001-Fix-etags-local-command-injection-vulnerability.patch (text/x-patch, attachment)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.