Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
Hi Tomas,
On Mon, Dec 24, 2018 at 08:47:55PM +0000, Tomas Bortoli wrote:
> Hi Robert,
>
> Your patch seems not to be definitive against CVE-2018-19518.
> This because checking for spaces won't be enough if an attacker uses some
> "bash trick" to get a space...
> In fact you can get a space by not typing it, with something like this:
>
> a=`date`;echo${a:3:1}asd
>
> Will print "asd".. it gets the space from a substring of "a".
>
I tried this along with a few different variants and none of them
produced the vulnerability described in the CVE. I am confident that an
actual space is required in order to exploit the vulnerability.
On Tue, Dec 25, 2018 at 07:12:38PM +0000, Tomas Bortoli wrote:
> Hi Roberto,
>
> On 12/24/18 10:40 PM, Roberto C. Sánchez wrote:
> > There are two command templates involved in this section of code:
> > rshcommand and sshcommand. The two for loops each operate on a
> > different command template.
>
> Ah ahn.. I missed that single byte difference, thanks.
>
> > Yes, the description could certainly use more detail. That said, I did
> > include this in my original post:
> >
> > I also wondered whether it was possible to cause the vulnerability
> > without a space in the hostname (somewhat related to the first
> > question). In any event, I concluded that the question of whether
> > something is a valid hostname might be a bit complex to tackle and
> > despite numerous attempts I was not able to exploit the
> > vulnerability without the space between the host name and the
> > command switch '-'.
> >
> > I suppose it would be possible to apply the approach of counting tokens
> > to the host variable to ensure that it only contains a single token.
> > However, I do not think that is any better or worse than the approach I
> > came up with.
> >
>
> What about "shell escaping" the host name? Not sure about escaping the
> other parameters too..but that shouldn't harm.
> It should be the best security practice against command injection, AFAIK.
>
You have lost me here. First, I am not certain what you mean by "shell
escaping" in this context. Second, would this be something that is done
when the configuration is read or when the rsh/ssh command is to be
executed? Third, is the shell escaping you describe possible without
introducing additional library dependencies?
Without knowing for certain what you mean, I would think that shell
escaping (like URL encoding/decoding, for instance) would best be
handled by a purpose-built library. However, if there is a way to
accomplish what you describe without such an additional component, I
would interested to know.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: