Date: Tue, 4 May 2004 09:49:09 +0400 From: Roman Bogorodskiy <bogorodskiy@inbox.ru> To: freebsd-security@freebsd.org Subject: ctags(1) command execution vulnerability Message-ID: <20040504054909.GA3119@lame.novel.ru>
next in thread | raw e-mail | index | archive | help
--u3/rZRmxL6MmkK24
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello,
ctags(1) uses external application sort(1) for sorting the tags file.
It calls it via system(3) function.=20
Look at the /usr/src/usr.bin/ctags/ctags.c file, there are such lines
here:=20
if (uflag) {
(void)asprintf(&cmd, "sort -o %s %s",
outfile, outfile);
if (cmd =3D=3D NULL)
err(1, "out of space");
system(cmd);
free(cmd);
cmd =3D NULL;
}
This code will be executed when "-u" arg was given. So, if we'll execute=20
ctags in a such way:
ctags -u -f ';echo hi' *.c
we get the following:
Syntax error: ";" unexpected
sort: option requires an argument -- o
Try `sort --help' for more information.
hi
hi
We can put any command instead of 'echo hi' and it would be executed
(for two times).=20
I understand that ctags(1) is not a suid application and this
vulnerability probably could not be exploited. Never the less, this is a
bad behavior for any kind of program.=20
Solution:
--- usr.bin/ctags/ctags.c.orig Tue May 4 09:23:30 2004
+++ usr.bin/ctags/ctags.c Tue May 4 09:25:48 2004
@@ -166,7 +166,7 @@
if (uflag) {
for (step =3D 0; step < argc; step++) {
(void)asprintf(&cmd,
- "mv %s OTAGS; fgrep -v '\t%s\t' OTAGS >%s; rm OTAGS",
+ "mv '%s' OTAGS; fgrep -v '\t%s\t' OTAGS >'%s'; rm OTAGS",
outfile, argv[step], outfile);
if (cmd =3D=3D NULL)
err(1, "out of space");
@@ -181,7 +181,7 @@
put_entries(head);
(void)fclose(outf);
if (uflag) {
- (void)asprintf(&cmd, "sort -o %s %s",
+ (void)asprintf(&cmd, "sort -o '%s' '%s'",
outfile, outfile);
if (cmd =3D=3D NULL)
err(1, "out of space");
-Roman Bogorodskiy
--u3/rZRmxL6MmkK24
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iQEVAwUBQJcu1SpMDQ8aPhy0AQLZ0Af+J2ZWvcdtSRdbG207Q9P+aDcARfwwDgXJ
0aXXVx9t1h+KY7/elitlgXzQzvuqVdeFDt52+wCvFNNjb6d2QeqNBCYb7rdcxT8y
q00G8N/uYcTDM635C6nmetr0Q+Aio1tIGiMyp8P4goT6n45MpoA5i/oLKhGsFp8c
FpiOkaqKB6WIqe9d1hrxXgrBDe4LFHjK1eH6JlBGS6M5xWpk1pu4XByY/3t2fLGE
Pd5oJL5WBUT6p9dRAnNeEC7qOKVqhBAQ8WMlSf7/SaQPQJK8eaVRy9FEpgbmayA4
pe+jU+PnurB0y5grpntnznWbCTnzwluDPfwROpnEMxhp7KvPgC1Law==
=Hf2c
-----END PGP SIGNATURE-----
--u3/rZRmxL6MmkK24--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040504054909.GA3119>