Re: RFC: proposed fix for CVE-2018-19518 in uw-imap

To: Roberto C. Sánchez <roberto@debian.org>, "debian-lts@lists.debian.org" <debian-lts@lists.debian.org>, "debian-security@lists.debian.org" <debian-security@lists.debian.org>, "Debian Security Team" <team@security.debian.org>
Subject: Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
From: Tomas Bortoli <tomasbortoli@hotmail.it>
Date: Tue, 25 Dec 2018 19:12:38 +0000
Message-id: <[🔎] HE1PR0801MB19805E1CD340AE6FF65B562CB6B40@HE1PR0801MB1980.eurprd08.prod.outlook.com>
In-reply-to: <[🔎] 20181224214058.dz2ryblz3grjxcaz@santiago.connexer.com>
References: <[🔎] 20181223032718.2zxlwl6fybebsdgh@santiago.connexer.com> <[🔎] HE1PR0801MB1980A00D267E3A7018AF02E5B6BB0@HE1PR0801MB1980.eurprd08.prod.outlook.com> <[🔎] 20181224214058.dz2ryblz3grjxcaz@santiago.connexer.com>

Hi Roberto,

On 12/24/18 10:40 PM, Roberto C. Sánchez wrote:
> There are two command templates involved in this section of code:
> rshcommand and sshcommand.  The two for loops each operate on a
> different command template.

Ah ahn.. I missed that single byte difference, thanks.

> Yes, the description could certainly use more detail.  That said, I did
> include this in my original post:
>
>     I also wondered whether it was possible to cause the vulnerability
>     without a space in the hostname (somewhat related to the first
>     question).  In any event, I concluded that the question of whether
>     something is a valid hostname might be a bit complex to tackle and
>     despite numerous attempts I was not able to exploit the
>     vulnerability without the space between the host name and the
>     command switch '-'.
>
> I suppose it would be possible to apply the approach of counting tokens
> to the host variable to ensure that it only contains a single token.
> However, I do not think that is any better or worse than the approach I
> came up with.
>

What about "shell escaping" the host name? Not sure about escaping the
other parameters too..but that shouldn't harm.
It should be the best security practice against command injection, AFAIK.


Happy Christmas,
Tomas

Reply to:

References:
- RFC: proposed fix for CVE-2018-19518 in uw-imap
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
  - From: Tomas Bortoli <tomasbortoli@hotmail.it>
- Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: Re: harbian-audit v0.2 for Debian "Stretch" 9 is released
Next by Date: Re: harbian-audit v0.2 for Debian "Stretch" 9 is released
Previous by thread: Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
Next by thread: Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
Index(es):
- Date
- Thread