The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
a2ps Executing Shell Commands From File Name
------------------------------------------------------------------------
SUMMARY
<http://www.infres.enst.fr/~demaille/a2ps/> a2ps is "an Any to PostScript
filter". a2ps can be made to execute shell commands from a given filename
allowing an attacker to execute arbitrary commands.
DETAILS
Vulnerable Systems:
* a2ps version 4.13, possibly prior, on all platforms supported with Bash
or C-shell used by System()
Immune Systems:
* a2ps latest from CVS, FreeBSD only
a2ps can execute shell commands from file names. Unless you use a2ps with
wildcards from a world-writeable directory like /tmp, this issue doesn t
pose a real impact on your system.
How to reproduce:
$ touch 'x`echo >&2 42`.c'
$ a2ps -o /dev/null *.c
42
[x`echo >&2 42`.c (C): 0 pages on 0 sheets]
[Total: 0 pages on 0 sheets] saved into the file `/dev/null'
$ a2ps -V
GNU a2ps 4.13
Written by Akim Demaille, Miguel Santana.
How it was found:
$ touch 'LAN (div0)'
$ a2ps -o /dev/null LAN*
sh: -c: line 1: syntax error near unexpected token `('
sh: -c: line 1: `/usr/bin/file -L LAN (div0)'
[LAN (div0) (plain): 0 pages on 0 sheets]
[Total: 0 pages on 0 sheets] saved into the file `/dev/null'
Workaround
Do not use wildcards in a2ps command lines except if you do that in a
directory only you can create files in and where you know the contents.
Patch Availability:
A patch was written by Rudolf and was sent to the FreeBSD developers, the
Debian a2ps maintainer and to GNU itself. However, the patch was only
admitted into the CVS tree for a2ps by the FreeBSD team, making the
FreeBSD version the only one with a fix.
The patch can be found at
<http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain>
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain.
The patch itself might not work on Windows even though the problem exists
if command.com is used a shell interpreter. The filename might be
different though.
For convenience, it is also copied here:
--- src/select.c.orig Thu Dec 16 02:04:56 1999
+++ src/select.c Sat Aug 21 12:05:31 2004
@@ -131,6 +131,36 @@
return 1;
}
+/* escapes the name of a file so that the shell groks it in 'single'
q.marks.
+ The resulting pointer has to be free()ed when not longer used. */
+char *
+shell_escape(const char *fn)
+{
+ size_t len = 0;
+ const char *inp;
+ char *retval, *outp;
+
+ for(inp = fn; *inp; ++inp)
+ switch(*inp)
+ {
+ case '\'': len += 4; break;
+ default: len += 1; break;
+ }
+
+ outp = retval = malloc(len + 1);
+ if(!outp)
+ return NULL; /* perhaps one should do better error handling here */
+ for(inp = fn; *inp; ++inp)
+ switch(*inp)
+ {
+ case '\'': *outp++ = '\''; *outp++ = '\\'; *outp++ = '\'', *outp++ =
'\''; break;
+ default: *outp++ = *inp; break;
+ }
+ *outp = 0;
+
+ return retval;
+}
+
/* What says file about the type of a file (result is malloc'd). NULL
if could not be run. */
@@ -144,11 +174,15 @@
if (IS_EMPTY (job->file_command))
return NULL;
+ filename = shell_escape(filename);
+ if(filename == NULL)
+ return NULL;
/* Call file(1) with the correct option */
- command = ALLOCA (char, (2
+ command = ALLOCA (char, (4
+ strlen (job->file_command)
+ ustrlen (filename)));
- sprintf (command, "%s %s", job->file_command, (const char *) filename);
+ sprintf (command, "%s '%s'", job->file_command, (const char *)
filename);
+ free(filename);
message (msg_tool, (stderr, "Reading pipe: `%s'\n", command));
file_out = popen (command, "r");
ADDITIONAL INFORMATION
The information has been provided by <mailto:divzero@gmail.com> Rudolf
Polzer.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
