From owner-freebsd-security@FreeBSD.ORG Mon May 3 23:44:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B99916A4CE for ; Mon, 3 May 2004 23:44:10 -0700 (PDT) Received: from us20.unix.fas.harvard.edu (us20.unix.fas.harvard.edu [140.247.35.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB3A143D62 for ; Mon, 3 May 2004 23:44:09 -0700 (PDT) (envelope-from hamburg@fas.harvard.edu) Received: from [140.247.133.37] (roam133-37.student.harvard.edu [140.247.133.37])i446i9i22446 for ; Tue, 4 May 2004 02:44:09 -0400 Mime-Version: 1.0 (Apple Message framework v613) In-Reply-To: <20040504054909.GA3119@lame.novel.ru> References: <20040504054909.GA3119@lame.novel.ru> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <6FDDCA56-9D96-11D8-A696-0003939A19AA@fas.harvard.edu> Content-Transfer-Encoding: 7bit From: Michael Hamburg Date: Tue, 4 May 2004 02:44:05 -0400 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.613) Subject: Re: ctags(1) command execution vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 May 2004 06:44:10 -0000 While I don't think that's much of a vulnerability (you can only really attack your own account), your patch doesn't fix it. You can still executed code with: ctags -u -f "'; echo hi '" *.c To remove this "vulnerability," you'd have to either escape the string, then quote it, or even better, do the system call with a vector. It probably isn't worth the bother, but if you want to patch it, patch it right... Mike Hamburg On May 4, 2004, at 1:49 AM, Roman Bogorodskiy wrote: > Hello, > > ctags(1) uses external application sort(1) for sorting the tags file. > It calls it via system(3) function. > > Look at the /usr/src/usr.bin/ctags/ctags.c file, there are such lines > here: > > if (uflag) { > (void)asprintf(&cmd, "sort -o %s %s", > outfile, outfile); > if (cmd == NULL) > err(1, "out of space"); > system(cmd); > free(cmd); > cmd = NULL; > } > > This code will be executed when "-u" arg was given. So, if we'll > execute > ctags in a such way: > > ctags -u -f ';echo hi' *.c > > we get the following: > > Syntax error: ";" unexpected > sort: option requires an argument -- o > Try `sort --help' for more information. > hi > hi > > We can put any command instead of 'echo hi' and it would be executed > (for two times). > > I understand that ctags(1) is not a suid application and this > vulnerability probably could not be exploited. Never the less, this is > a > bad behavior for any kind of program. > > Solution: > > --- usr.bin/ctags/ctags.c.orig Tue May 4 09:23:30 2004 > +++ usr.bin/ctags/ctags.c Tue May 4 09:25:48 2004 > @@ -166,7 +166,7 @@ > if (uflag) { > for (step = 0; step < argc; step++) { > (void)asprintf(&cmd, > - "mv %s OTAGS; fgrep -v '\t%s\t' OTAGS >%s; rm OTAGS", > + "mv '%s' OTAGS; fgrep -v '\t%s\t' OTAGS >'%s'; rm OTAGS", > outfile, argv[step], outfile); > if (cmd == NULL) > err(1, "out of space"); > @@ -181,7 +181,7 @@ > put_entries(head); > (void)fclose(outf); > if (uflag) { > - (void)asprintf(&cmd, "sort -o %s %s", > + (void)asprintf(&cmd, "sort -o '%s' '%s'", > outfile, outfile); > if (cmd == NULL) > err(1, "out of space"); > > > -Roman Bogorodskiy >