Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#7031 closed defect (fixed)

remote code execution

Reported by: ioerror Owned by:
Priority: normal Milestone: 0.15
Component: usability Version: hg
Severity: critical Keywords: security privacy
Cc: asterix, flo@… Blocked By:
Blocking: OS: All

Description

Attacker sends:

 <a href="`touch${IFS}/tmp/ohai`@lol.com">link name</a>

If the Gajim user clicks the link, they'll execute that command as the user running gajim.

This bug is not mine - it was reported to me an irc channel while I was discussing auditing Gajim by ' userr' - they deserve the credit but were too lazy to report the bug; they requested that I do it and so I am merely a messenger.

Attachments (1)

7031-remote-execution.patch (960 bytes) - added by aagbsn 5 years ago.
fix for remote code execution

Download all attachments as: .zip

Change History (9)

Changed 5 years ago by aagbsn

fix for remote code execution

comment:1 Changed 5 years ago by aagbsn

I verified this bug and attached a patch.

comment:2 Changed 5 years ago by asterix

I cannot test currently, but doesn't gajim freeze while executing the command with this patch?

comment:3 Changed 5 years ago by Flow_

  • Cc flo@… added

comment:4 Changed 5 years ago by asterix

moreover, without shell=True, we need to provide argumets as a list, not as a string. So using shlex.split(command_line) could help. I did a patch, but that prevent using any command in trigger plugin. It's for example not possible to use "sleep 2 && touch /tmp/y" with this patch:

 def exec_command(command):
-    subprocess.Popen('%s &' % command, shell=True).wait()
+    import shlex
+    args = shlex.split(command.encode('utf-8'))
+    p = subprocess.Popen(args)
+    gajim.thread_interface(p.wait)

So I don't have a good solution for the moment.

comment:5 Changed 5 years ago by buymebeer

I suggest using two functions?

comment:6 Changed 5 years ago by Yann Leboulanger <asterix@…>

  • Milestone set to 0.15
  • Resolution set to fixed
  • Status changed from new to closed

(In [bc296e96ac10]) execute commands without use_shell=True to prevent remote code execution, except for commands configured in triggers plugin (configured by user itself). Fixes #7031

comment:7 Changed 4 years ago by Yann Leboulanger <asterix@…>

(In [d19b82b8763b]) execute commands without use_shell=True to prevent remote code execution, except for commands configured in triggers plugin (configured by user itself). Fixes #7031

comment:8 Changed 4 years ago by thijs

This is CVE-2012-2085.

Note: See TracTickets for help on using tickets.