Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
Hi Tomas,
Thanks for the feedback.
On Mon, Dec 24, 2018 at 08:47:55PM +0000, Tomas Bortoli wrote:
> Hi Robert,
>
> Your patch seems not to be definitive against CVE-2018-19518.
> This because checking for spaces won't be enough if an attacker uses some
> "bash trick" to get a space...
> In fact you can get a space by not typing it, with something like this:
>
> a=`date`;echo${a:3:1}asd
>
> Will print "asd".. it gets the space from a substring of "a".
>
I tried numerous different such tricks and every one that I tried
between 'x' and '-o' in the host specification resulted in the
vulnerability not manifesting itself.
That said, I did not try this specific trick and I will investigte to
determine if it results in the vulnerability manifesting itself.
> Regarding the code, there is a bit of redundancy as the "for" in the
> if-else is repeated in both branches, it could be therefore placed after
> the if-else and achieve the same semantic result without redundancy.
>
There are two command templates involved in this section of code:
rshcommand and sshcommand. The two for loops each operate on a
different command template.
> About the bug, as far as I understand the injection is, eventually,
> possible in the server name...shouldn't that be the "host" variable in the
> patch? [1]
> I am not sure...CVE description is quite smallish..
>
Yes, the description could certainly use more detail. That said, I did
include this in my original post:
I also wondered whether it was possible to cause the vulnerability
without a space in the hostname (somewhat related to the first
question). In any event, I concluded that the question of whether
something is a valid hostname might be a bit complex to tackle and
despite numerous attempts I was not able to exploit the
vulnerability without the space between the host name and the
command switch '-'.
I suppose it would be possible to apply the approach of counting tokens
to the host variable to ensure that it only contains a single token.
However, I do not think that is any better or worse than the approach I
came up with.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: