Date: Tue, 4 May 2004 02:44:05 -0400 From: Michael Hamburg <hamburg@fas.harvard.edu> To: freebsd-security@freebsd.org Subject: Re: ctags(1) command execution vulnerability Message-ID: <6FDDCA56-9D96-11D8-A696-0003939A19AA@fas.harvard.edu> In-Reply-To: <20040504054909.GA3119@lame.novel.ru> References: <20040504054909.GA3119@lame.novel.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
While I don't think that's much of a vulnerability (you can only really
attack your own account), your patch doesn't fix it. You can still
executed code with:
ctags -u -f "'; echo hi '" *.c
To remove this "vulnerability," you'd have to either escape the string,
then quote it, or even better, do the system call with a vector. It
probably isn't worth the bother, but if you want to patch it, patch it
right...
Mike Hamburg
On May 4, 2004, at 1:49 AM, Roman Bogorodskiy wrote:
> Hello,
>
> ctags(1) uses external application sort(1) for sorting the tags file.
> It calls it via system(3) function.
>
> Look at the /usr/src/usr.bin/ctags/ctags.c file, there are such lines
> here:
>
> if (uflag) {
> (void)asprintf(&cmd, "sort -o %s %s",
> outfile, outfile);
> if (cmd == NULL)
> err(1, "out of space");
> system(cmd);
> free(cmd);
> cmd = NULL;
> }
>
> This code will be executed when "-u" arg was given. So, if we'll
> execute
> ctags in a such way:
>
> ctags -u -f ';echo hi' *.c
>
> we get the following:
>
> Syntax error: ";" unexpected
> sort: option requires an argument -- o
> Try `sort --help' for more information.
> hi
> hi
>
> We can put any command instead of 'echo hi' and it would be executed
> (for two times).
>
> I understand that ctags(1) is not a suid application and this
> vulnerability probably could not be exploited. Never the less, this is
> a
> bad behavior for any kind of program.
>
> Solution:
>
> --- usr.bin/ctags/ctags.c.orig Tue May 4 09:23:30 2004
> +++ usr.bin/ctags/ctags.c Tue May 4 09:25:48 2004
> @@ -166,7 +166,7 @@
> if (uflag) {
> for (step = 0; step < argc; step++) {
> (void)asprintf(&cmd,
> - "mv %s OTAGS; fgrep -v '\t%s\t' OTAGS >%s; rm OTAGS",
> + "mv '%s' OTAGS; fgrep -v '\t%s\t' OTAGS >'%s'; rm OTAGS",
> outfile, argv[step], outfile);
> if (cmd == NULL)
> err(1, "out of space");
> @@ -181,7 +181,7 @@
> put_entries(head);
> (void)fclose(outf);
> if (uflag) {
> - (void)asprintf(&cmd, "sort -o %s %s",
> + (void)asprintf(&cmd, "sort -o '%s' '%s'",
> outfile, outfile);
> if (cmd == NULL)
> err(1, "out of space");
>
>
> -Roman Bogorodskiy
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6FDDCA56-9D96-11D8-A696-0003939A19AA>