linux, säkerhet

107410 2003-07-09  21:44  /43 rader/  <Andries.Brouwer@cwi.nl>
Importerad: 2003-07-09  21:44  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5494>
Ärende: xpdf vulnerability - CAN-2003-0434
------------------------------------------------------------

[I sent this letter on 2003-06-28, but no letters arrived that day,
it seems. A second attempt.]

I see RedHat and Mandrake reactions to the vulnerability
in xpdf reported by Martyn Gilmore. But their updates do
not fix the problem.

They change xpdf, and make it filter out backquotes before
invoking urlCommand. I think that was unnecessary.

On the other hand, urlCommand must be very careful what it
does with the URL since it was remote-user-supplied.
A urlCommand like the default "netscape -remote 'openURL(%s)'"
is OK since the %s is protected by single quotes.

A urlCommand like the RedHat "/usr/bin/xpdf-handle-url %s"
is bad since %s is not protected and funny games are possible.
In other words, not xpdf but /etc/xpdfrc must be fixed.

Next, RedHat /usr/bin/xpdf-handle-url is bad as well, since
it does
  xterm -e sh -c "echo Edit $0 to include your URL handler; echo $1;
read" exposing the unquoted URL to sh -c.

For example, on a RedHat 8.0 system that I have here, clicking the URL
like "nailto:me; rm /tmp/abc" will remove the indicated file, also
after the fix is applied.

A testexample for playing with pdflatex:

\documentclass[11pt]{minimal} \usepackage{color}
\usepackage[urlcolor=blue,colorlinks=true,pdfpagemode=none]{hyperref}
\begin{document} \href{prot:hyperlink with stuff, say, `rm -rf
/tmp/abc`; touch /tmp/pqr}{\textt\ t{Click me}} \end{document}

All shell metacharacters are dangerous. Not only backquote.

Andries
(107410) / <Andries.Brouwer@cwi.nl>/------(Ombruten)
Kommentar i text 107413 av stanislav shalunov <shalunov@internet2.edu>
107413 2003-07-09  22:03  /20 rader/ stanislav shalunov <shalunov@internet2.edu>
Importerad: 2003-07-09  22:03  av Brevbäraren
Extern mottagare: Andries.Brouwer@cwi.nl
Mottagare: Bugtraq (import) <5497>
Kommentar till text 107410 av  <Andries.Brouwer@cwi.nl>
Ärende: Re: xpdf vulnerability - CAN-2003-0434
------------------------------------------------------------
Andries.Brouwer@cwi.nl writes:

> A urlCommand like the default "netscape -remote 'openURL(%s)'"
> is OK since the %s is protected by single quotes.

How so?  Consider an argument of
	'`rm -rf /tmp/test`'
This expands to
	netscape -remote 'openURL('`rm -rf /tmp/test`')'
where the single quotes have no effect.

A proper fix would be not to invoke shell at all, but simply fork and
exec.

-- 
Stanislav Shalunov		http://www.internet2.edu/~shalunov/

"The power of accurate observation is commonly called cynicism by
those who have not got it."			-- G. B. Shaw
(107413) /stanislav shalunov <shalunov@internet2.edu>/
107420 2003-07-09  23:52  /9 rader/  <Andries.Brouwer@cwi.nl>
Importerad: 2003-07-09  23:52  av Brevbäraren
Extern mottagare: Andries.Brouwer@cwi.nl
Extern mottagare: shalunov@internet2.edu
Mottagare: Bugtraq (import) <5503>
Ärende: Re: xpdf vulnerability - CAN-2003-0434
------------------------------------------------------------
>> A urlCommand like the default "netscape -remote 'openURL(%s)'"
>> is OK since the %s is protected by single quotes.

> How so?  Consider an argument of
>	'`rm -rf /tmp/test`'

xpdf already filters out single and double quotes, so
these do not occur in arguments.
(107420) / <Andries.Brouwer@cwi.nl>/----------------