In regard to CVE-2014-7169 CVE-2014-6271 looking at busybox-1.22.1/networking/udhcp/dhcpc.c line 403 fill_envp() it seems as if it would be trivial to mess with bootfile and inject a packet that has garbage in the bootfile and exploit this vulnerability. Something as trivial as removing some characters would likely be sufficient to protect from an exploit.
http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_277 In any case at any point in the code where the outside is allowed to inject directly into the shell environment data needs to be sanitized the same as one would sanitize a form post on a website application. here are other files that have the same issue networking/httpd.c <- Yep seems easy to exploit. networking/ntpd.c <- seems ok but needs more digging. Mostly sanitized by numerics. networking/tcpudp.c <- potential via dns poisoning injecting an invalid hostname containing a payload. mailutils/reformime.c <- uses data from mail header and places into env. I see others but they look less likely. A wrapper fix for all set/putenv seems reasonable if it can be crafted to identify the use of (). I don't see how we can sanitize to a specific character set such as 3.278 for all environment vars and not cause problems with some use cases. Looking for just () has issues in that other vectors may be discovered down the road so maybe pushing this to fixes in bash is the best solution. I would like to see generalized sanitization at every point where put/setenv is used to conform at minimum to the expected data that would be placed in the environment. Unfortunately for things like httpd.c most browsers do not conform to RFC2616 and quote special characters like ( in headers. So it would be trivial to inject a forged user agent header with the exploit in it. Does anyone here want to chime in on this issue and potential fixes? Best Regards Sean Mathews CTO / Director of R&D @ NuTech.com
_______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
