129981 – [vuxml] [patch] net-p2p/verlihub: document and fix CVE-2008-5706

Remote command execution and insecure temporary file usage was
discovered in the verlihub peer-to-peer software.

Fix: The following patch should fix the issue:


I had tested the basic compilability and checked patch sanity, but I was
not able to test in for the real verlihub server. So, it will be great
if maintainer will be able to do it. Cited advisory from MilW0rm should
be the good guide for the tests.

The following VuXML entry should be evaluated and added:
 <vuln vid="4b2c603e-d456-11dd-84ec-001fc66e7203">
 <topic>verlihub -- insecure temporary file usage and arbitrary command execution</topic>
 <affects>
 <package>
 <name>verlihub</name>
 <range><lt>0.9.8.d.r2_2,1</lt></range>
 </package>
 </affects>
 <description>
 <body xmlns="http://www.w3.org/1999/xhtml">
 Anonymous security researcher reports:
 <blockquote
 cite="http://milw0rm.com/exploits/7183">
 Verlihub does not sanitize user input passed to the shell
 via its "trigger" mechanism.
 </blockquote>
 Entry for CVE-2008-5706 says:
 <blockquote
 cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5706">
 The cTrigger::DoIt function in src/ctrigger.cpp in the
 trigger mechanism in the daemon in Verlihub 0.9.8d-RC2 and
 earlier allows local users to overwrite arbitrary files via a
 symlink attack on the /tmp/trigger.tmp temporary file.
 </blockquote>
 </body>
 </description>
 <references>
 <cvename>CVE-2008-5706</cvename>
 <url>http://milw0rm.com/exploits/7183</url>
 </references>
 <dates>
 <discovery>22-11-2008</discovery>
 <entry>TODAY</entry>
 </dates>
 </vuln>
--- vuln.xml ends here -----MlGAHTYxjvQTQi5TeVksbANyLUYS3Pf15e8wkeFs4NSRYvXg
Content-Type: text/plain; name="net-p2p-verlihub-fix-CVE-2008-5706.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="net-p2p-verlihub-fix-CVE-2008-5706.diff"

From 2b909689e519036965dde9184ab7faa93c53d67b Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Sat, 27 Dec 2008 23:33:49 +0300

Fix insecure temporary file usage and possible arbitrary command
execution in verlihub. Based on the advisory from v4lkyrius@gmail.com,
 http://milw0rm.com/exploits/7183
but I redone almost everything, because original patch was incorrectly
using results of std::string.c_str() and was stripping special
characters from the whole command. We should sanitize only user's
input; configuration file directives should be passed "as-is".

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 net-p2p/verlihub/Makefile | 2 +-
 net-p2p/verlihub/files/patch-CVE-2008-5706 | 82 ++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+), 1 deletions(-)
 create mode 100644 net-p2p/verlihub/files/patch-CVE-2008-5706

diff --git a/net-p2p/verlihub/Makefile b/net-p2p/verlihub/Makefile
index 8ef0f5b..d6e86ad 100644
--- a/net-p2p/verlihub/Makefile
+++ b/net-p2p/verlihub/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	verlihub
 DISTVERSION=	0.9.8d-RC2
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	1
 CATEGORIES=	net-p2p
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
diff --git a/net-p2p/verlihub/files/patch-CVE-2008-5706 b/net-p2p/verlihub/files/patch-CVE-2008-5706
new file mode 100644
index 0000000..61dc4ca
--- /dev/null
+++ b/net-p2p/verlihub/files/patch-CVE-2008-5706
@@ -0,0 +1,82 @@
+--- src/ctrigger.cpp.orig	2005-04-11 19:18:38.000000000 +0400
++++ src/ctrigger.cpp	2008-12-27 23:28:14.000000000 +0300
+@@ -7,6 +7,9 @@
+  *   the Free Software Foundation; either version 2 of the License, or     *
+  *   (at your option) any later version.                                   *
+  ***************************************************************************/
++#include <errno.h>
++#include <stdio.h>
++#include <string.h>
+ #include "cserverdc.h"
+ #include "ctrigger.h"
+ #include "cconndc.h"
+@@ -44,16 +47,33 @@
+ {
+ 	string buf, filename, sender;
+ 	string par1, end1, parall;
++	string cmdl;
++
+ 	if (conn && conn->mpUser)
+ 	{
++		cmd_line >> cmdl;
++		/* Sanitise user input if we're going to exec anything */
++		if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) {
++			string cleaned = string();
++			const string toclean = string(";\"'\\`:!${}[]&><|~/");
++
++			for (string::iterator i = cmdl.begin();
++			    i < cmdl.end();
++			    i++) {
++				if (toclean.find(*i) == string::npos)
++					cleaned.append(1, *i);
++			}
++			cmdl = cleaned;
++		}
++
+ 		int uclass = conn->mpUser->mClass;
+ 		if ((uclass >= this->mMinClass) &&(uclass <= this->mMaxClass)) {
+ 
+-			if(cmd_line.str().size() > mCommand.size()) {
+-				parall.assign(cmd_line.str(),mCommand.size()+1,string::npos);
++			if(cmdl.size() > mCommand.size()) {
++				parall.assign(cmdl,mCommand.size()+1,string::npos);
+ 			}
+-			cmd_line >> par1;
+-			end1 = cmd_line.str();
++			par1 = cmdl;
++			end1 = cmdl;
+ 
+ 			sender = server.mC.hub_security;
+ 			if (mSendAs.size()) sender = mSendAs;
+@@ -104,14 +124,25 @@
+ 
+ 			if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) {
+ 				string command(buf);
+-				filename = server.mConfigBaseDir;
+-				filename.append("/tmp/trigger.tmp");
+-				command.append(" > ");
+-				command.append(filename);
++				char buffer[1024];
++				FILE *stream;
++
+ 				cout << command << endl;
+-				system(command.c_str());
+ 				buf = "";
+-				if (!LoadFileInString(filename,buf)) return 0;
++				stream = popen(command.c_str(), "r");
++				if (stream == NULL) {
++					cout << strerror(errno) << std::endl;
++					return 0;
++				} else {
++					while (fgets(buffer, sizeof(buffer),
++					  stream) != NULL)
++                				buf.append(buffer);
++					if (pclose(stream) == -1) {
++						cout << strerror(errno) <<
++						  std::endl;
++						return 0;
++					}
++				}
+ 			}
+ 
+ 			// @CHANGED by dReiska +BEGINS+
-- 
1.6.0.5
How-To-Repeat: 
http://milw0rm.com/exploits/7183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5706