[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: proposed fix for CVE-2018-19518 in uw-imap

Ciao Roberto,

On 12/28/18 5:20 AM, Roberto C. Sánchez wrote:
> Hi Tomas,
> On Mon, Dec 24, 2018 at 08:47:55PM +0000, Tomas Bortoli wrote:
>>    Hi Robert,
>>    Your patch seems not to be definitive against CVE-2018-19518.
>>    This because checking for spaces won't be enough if an attacker uses some
>>    "bash trick" to get a space...
>>    In fact you can get a space by not typing it, with something like this:
>>      a=`date`;echo${a:3:1}asd
>>    Will print "asd".. it gets the space from a substring of "a".
> I tried this along with a few different variants and none of them
> produced the vulnerability described in the CVE.  I am confident that an
> actual space is required in order to exploit the vulnerability.

Yeah, it makes sense. I agree.

> On Tue, Dec 25, 2018 at 07:12:38PM +0000, Tomas Bortoli wrote:
>> Hi Roberto,
>> On 12/24/18 10:40 PM, Roberto C. Sánchez wrote:
>>> There are two command templates involved in this section of code:
>>> rshcommand and sshcommand.  The two for loops each operate on a
>>> different command template.
>> Ah ahn.. I missed that single byte difference, thanks.
>>> Yes, the description could certainly use more detail.  That said, I did
>>> include this in my original post:
>>>     I also wondered whether it was possible to cause the vulnerability
>>>     without a space in the hostname (somewhat related to the first
>>>     question).  In any event, I concluded that the question of whether
>>>     something is a valid hostname might be a bit complex to tackle and
>>>     despite numerous attempts I was not able to exploit the
>>>     vulnerability without the space between the host name and the
>>>     command switch '-'.
>>> I suppose it would be possible to apply the approach of counting tokens
>>> to the host variable to ensure that it only contains a single token.
>>> However, I do not think that is any better or worse than the approach I
>>> came up with.
>> What about "shell escaping" the host name? Not sure about escaping the
>> other parameters too..but that shouldn't harm.
>> It should be the best security practice against command injection, AFAIK.
> You have lost me here.  First, I am not certain what you mean by "shell
> escaping" in this context.  Second, would this be something that is done
> when the configuration is read or when the rsh/ssh command is to be
> executed?  Third, is the shell escaping you describe possible without
> introducing additional library dependencies?
> Without knowing for certain what you mean, I would think that shell
> escaping (like URL encoding/decoding, for instance) would best be
> handled by a purpose-built library.  However, if there is a way to
> accomplish what you describe without such an additional component, I
> would interested to know.

By shell escaping I meant to escape all the special shell characters
within the input. That'd probably need additional dependencies or a neat
sanitizer function.

But I was wrong, it's unnecessary as there's no shell interpreter there
but it's just using `execv` to get rsh/ssh running.

I agree that preventing the injection of spaces will prevent the
injection of additional parameters and therefore the execution of
unexpected commands.


Reply to: