Remote command execution and insecure temporary file usage was discovered in the verlihub peer-to-peer software. Fix: The following patch should fix the issue: I had tested the basic compilability and checked patch sanity, but I was not able to test in for the real verlihub server. So, it will be great if maintainer will be able to do it. Cited advisory from MilW0rm should be the good guide for the tests. The following VuXML entry should be evaluated and added: <vuln vid="4b2c603e-d456-11dd-84ec-001fc66e7203"> <topic>verlihub -- insecure temporary file usage and arbitrary command execution</topic> <affects> <package> <name>verlihub</name> <range><lt>0.9.8.d.r2_2,1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Anonymous security researcher reports:</p> <blockquote cite="http://milw0rm.com/exploits/7183"> <p>Verlihub does not sanitize user input passed to the shell via its "trigger" mechanism.</p> </blockquote> <p>Entry for CVE-2008-5706 says:</p> <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5706"> <p>The cTrigger::DoIt function in src/ctrigger.cpp in the trigger mechanism in the daemon in Verlihub 0.9.8d-RC2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the /tmp/trigger.tmp temporary file.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-5706</cvename> <url>http://milw0rm.com/exploits/7183</url> </references> <dates> <discovery>22-11-2008</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here -----MlGAHTYxjvQTQi5TeVksbANyLUYS3Pf15e8wkeFs4NSRYvXg Content-Type: text/plain; name="net-p2p-verlihub-fix-CVE-2008-5706.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="net-p2p-verlihub-fix-CVE-2008-5706.diff" From 2b909689e519036965dde9184ab7faa93c53d67b Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Sat, 27 Dec 2008 23:33:49 +0300 Fix insecure temporary file usage and possible arbitrary command execution in verlihub. Based on the advisory from v4lkyrius@gmail.com, http://milw0rm.com/exploits/7183 but I redone almost everything, because original patch was incorrectly using results of std::string.c_str() and was stripping special characters from the whole command. We should sanitize only user's input; configuration file directives should be passed "as-is". Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- net-p2p/verlihub/Makefile | 2 +- net-p2p/verlihub/files/patch-CVE-2008-5706 | 82 ++++++++++++++++++++++++++++ 2 files changed, 83 insertions(+), 1 deletions(-) create mode 100644 net-p2p/verlihub/files/patch-CVE-2008-5706 diff --git a/net-p2p/verlihub/Makefile b/net-p2p/verlihub/Makefile index 8ef0f5b..d6e86ad 100644 --- a/net-p2p/verlihub/Makefile +++ b/net-p2p/verlihub/Makefile @@ -7,7 +7,7 @@ PORTNAME= verlihub DISTVERSION= 0.9.8d-RC2 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= net-p2p MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} diff --git a/net-p2p/verlihub/files/patch-CVE-2008-5706 b/net-p2p/verlihub/files/patch-CVE-2008-5706 new file mode 100644 index 0000000..61dc4ca --- /dev/null +++ b/net-p2p/verlihub/files/patch-CVE-2008-5706 @@ -0,0 +1,82 @@ +--- src/ctrigger.cpp.orig 2005-04-11 19:18:38.000000000 +0400 ++++ src/ctrigger.cpp 2008-12-27 23:28:14.000000000 +0300 +@@ -7,6 +7,9 @@ + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + ***************************************************************************/ ++#include <errno.h> ++#include <stdio.h> ++#include <string.h> + #include "cserverdc.h" + #include "ctrigger.h" + #include "cconndc.h" +@@ -44,16 +47,33 @@ + { + string buf, filename, sender; + string par1, end1, parall; ++ string cmdl; ++ + if (conn && conn->mpUser) + { ++ cmd_line >> cmdl; ++ /* Sanitise user input if we're going to exec anything */ ++ if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) { ++ string cleaned = string(); ++ const string toclean = string(";\"'\\`:!${}[]&><|~/"); ++ ++ for (string::iterator i = cmdl.begin(); ++ i < cmdl.end(); ++ i++) { ++ if (toclean.find(*i) == string::npos) ++ cleaned.append(1, *i); ++ } ++ cmdl = cleaned; ++ } ++ + int uclass = conn->mpUser->mClass; + if ((uclass >= this->mMinClass) &&(uclass <= this->mMaxClass)) { + +- if(cmd_line.str().size() > mCommand.size()) { +- parall.assign(cmd_line.str(),mCommand.size()+1,string::npos); ++ if(cmdl.size() > mCommand.size()) { ++ parall.assign(cmdl,mCommand.size()+1,string::npos); + } +- cmd_line >> par1; +- end1 = cmd_line.str(); ++ par1 = cmdl; ++ end1 = cmdl; + + sender = server.mC.hub_security; + if (mSendAs.size()) sender = mSendAs; +@@ -104,14 +124,25 @@ + + if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) { + string command(buf); +- filename = server.mConfigBaseDir; +- filename.append("/tmp/trigger.tmp"); +- command.append(" > "); +- command.append(filename); ++ char buffer[1024]; ++ FILE *stream; ++ + cout << command << endl; +- system(command.c_str()); + buf = ""; +- if (!LoadFileInString(filename,buf)) return 0; ++ stream = popen(command.c_str(), "r"); ++ if (stream == NULL) { ++ cout << strerror(errno) << std::endl; ++ return 0; ++ } else { ++ while (fgets(buffer, sizeof(buffer), ++ stream) != NULL) ++ buf.append(buffer); ++ if (pclose(stream) == -1) { ++ cout << strerror(errno) << ++ std::endl; ++ return 0; ++ } ++ } + } + + // @CHANGED by dReiska +BEGINS+ -- 1.6.0.5 How-To-Repeat: http://milw0rm.com/exploits/7183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5706
Responsible Changed From-To: freebsd-ports-bugs->miwi miwi@ wants his PRs (via the GNATS Auto Assign Tool)
Maintainer of net-p2p/verlihub, Please note that PR ports/129981 has just been submitted. If it contains a patch for an upgrade, an enhancement or a bug fix you agree on, reply to this email stating that you approve the patch and a committer will take care of it. The full text of the PR can be found at: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/129981 -- Edwin Groothuis via the GNATS Auto Assign Tool edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Added reference to CVE-2008-5705 to the VuXML entry. --- vuln.xml begins here --- <vuln vid="4b2c603e-d456-11dd-84ec-001fc66e7203"> <topic>verlihub -- insecure temporary file usage and arbitrary command execution</topic> <affects> <package> <name>verlihub</name> <range><lt>0.9.8.d.r2_2,1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Anonymous security researcher reports:</p> <blockquote cite="http://milw0rm.com/exploits/7183"> <p>Verlihub does not sanitize user input passed to the shell via its "trigger" mechanism.</p> </blockquote> <p>Entry for CVE-2008-5706 says:</p> <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5706"> <p>The cTrigger::DoIt function in src/ctrigger.cpp in the trigger mechanism in the daemon in Verlihub 0.9.8d-RC2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the /tmp/trigger.tmp temporary file.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-5705</cvename> <cvename>CVE-2008-5706</cvename> <url>http://milw0rm.com/exploits/7183</url> </references> <dates> <discovery>22-11-2008</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
> Maintainer of net-p2p/verlihub, > > Please note that PR ports/129981 has just been submitted. > > If it contains a patch for an upgrade, an enhancement or a bug fix > you agree on, reply to this email stating that you approve the patch > and a committer will take care of it. > > The full text of the PR can be found at: > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/129981 > > -- > Edwin Groothuis via the GNATS Auto Assign Tool > edwin@FreeBSD.org > I test attached to PR patch on real server and can approve that port builds and runs OK. BTW, please, change my email in contacts from skylord@vt.net.ru to skylord@linkline.ru Thanks in advance!
State Changed From-To: feedback->closed Committed. Thanks!
miwi 2009-01-11 19:42:13 UTC FreeBSD ports repository Modified files: net-p2p/verlihub Makefile Added files: net-p2p/verlihub/files patch-CVE-2008-5706 Log: - Fix insecure temporary file usage and arbitrary command execution PR: 129981 (based on) Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Approved by: maintainer Revision Changes Path 1.24 +2 -3 ports/net-p2p/verlihub/Makefile 1.1 +82 -0 ports/net-p2p/verlihub/files/patch-CVE-2008-5706 (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"