Bugs item #3603894, was opened at 2013-02-08 18:06
Message generated for change (Comment added) made by danielel
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=611248&aid=3603894&group_id=95403

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
>Status: Closed
Resolution: None
Priority: 5
Private: Yes
Submitted By: https://www.google.com/accounts ()
Assigned to: Daniele Lacamera (danielel)
Summary: unsafe use of system(3), sprintf(3)

Initial Comment:
Hello, while performing an audit of vde2 
(https://bugs.launchpad.net/ubuntu/+source/vde2/+bug/776818) I found a security 
bug. If you decide this is a security issue, please contact the linux-distros 
security list to coordinate a release and request a CVE number. (See 
http://oss-security.openwall.org/wiki/mailing-lists/distros for details on 
using the linux-distros list. Note especially that [vs] is required in the 
Subject: header.)

The system(3) and sprintf(3) library calls are used in an unsafe manner in 
cryptcab:

        if(!pre_shared){
                vc_printlog(2,"Sending key over ssh channel:");
                if(remoteusr)
                        sprintf(command,"scp %s /tmp/.blowfish.key 
%s@%s:/tmp/.%s.key 2>&1",
                                scp_extra_options?scp_extra_options:"",
                                remoteusr, remotehost, ret->id);
                else
                        sprintf(command,"scp %s /tmp/.blowfish.key 
%s:/tmp/.%s.key 2>&1",
                                scp_extra_options?scp_extra_options:"",
                                remotehost, ret->id);

                //fprintf(stderr,"Contacting host: %s ",remotehost);
                res=system(command);

Every use of %s indicates a place where an attacker may supply shell 
metacharacters, if the corresponding variable is under control of an attacker.

Further, note that command is declared to hold only 255 bytes, but this code 
does not prevent overwriting the buffer.

Far better would be to build an array of strings for execution directly by 
execve(2) or one of the related functions, and avoid use of the shell. This 
will prevent shell metacharacters from being used for evil. This will also 
prevent the buffer overflow.

This probably requires two separate CVE entries, one for the buffer overflows 
and one for the unsafe use of system(3).

----------------------------------------------------------------------

>Comment By: Daniele Lacamera (danielel)
Date: 2013-03-07 12:18

Message:
closed in r556

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=611248&aid=3603894&group_id=95403

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
vde-users mailing list
vde-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/vde-users

Reply via email to