[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: proposed fix for CVE-2018-19518 in uw-imap

Hi Tomas,

On Mon, Dec 24, 2018 at 08:47:55PM +0000, Tomas Bortoli wrote:
>    Hi Robert,
> 
>    Your patch seems not to be definitive against CVE-2018-19518.
>    This because checking for spaces won't be enough if an attacker uses some
>    "bash trick" to get a space...
>    In fact you can get a space by not typing it, with something like this:
> 
>      a=`date`;echo${a:3:1}asd
> 
>    Will print "asd".. it gets the space from a substring of "a".
> 
I tried this along with a few different variants and none of them
produced the vulnerability described in the CVE.  I am confident that an
actual space is required in order to exploit the vulnerability.

On Tue, Dec 25, 2018 at 07:12:38PM +0000, Tomas Bortoli wrote:
> Hi Roberto,
> 
> On 12/24/18 10:40 PM, Roberto C. Sánchez wrote:
> > There are two command templates involved in this section of code:
> > rshcommand and sshcommand.  The two for loops each operate on a
> > different command template.
> 
> Ah ahn.. I missed that single byte difference, thanks.
> 
> > Yes, the description could certainly use more detail.  That said, I did
> > include this in my original post:
> >
> >     I also wondered whether it was possible to cause the vulnerability
> >     without a space in the hostname (somewhat related to the first
> >     question).  In any event, I concluded that the question of whether
> >     something is a valid hostname might be a bit complex to tackle and
> >     despite numerous attempts I was not able to exploit the
> >     vulnerability without the space between the host name and the
> >     command switch '-'.
> >
> > I suppose it would be possible to apply the approach of counting tokens
> > to the host variable to ensure that it only contains a single token.
> > However, I do not think that is any better or worse than the approach I
> > came up with.
> >
> 
> What about "shell escaping" the host name? Not sure about escaping the
> other parameters too..but that shouldn't harm.
> It should be the best security practice against command injection, AFAIK.
> 
You have lost me here.  First, I am not certain what you mean by "shell
escaping" in this context.  Second, would this be something that is done
when the configuration is read or when the rsh/ssh command is to be
executed?  Third, is the shell escaping you describe possible without
introducing additional library dependencies?

Without knowing for certain what you mean, I would think that shell
escaping (like URL encoding/decoding, for instance) would best be
handled by a purpose-built library.  However, if there is a way to
accomplish what you describe without such an additional component, I
would interested to know.

Regards,

-Roberto

-- 
Roberto C. Sánchez
Reply to: