[jokosher-devel] Jokosher Security Vulnerability



Using a specially crafted Jokosher Project file, a malicious third party (whomever gave you the file) can run arbitrary code. This isn't a big issue right now since we only open our own .jokosher files, but it's quite scary nonetheless.

In the XML, under the "<Undo>" tag, place this line:
<Command value="P __class__; print 'security hole'; import os; os.remove('/home/laszlo/testfile')"/>

The P __class__ part is just because our undo function requires either P, I or E to be the first character. It then changes P to "project." puts the function call after it. I just used __class__ cause it allows us to not do anything without throwing an exception.

All the use has to do it hit Edit->Undo or Ctrl-Z and the command will execute.

The part following it is where you can do whatever you want. I tried os.remove() and it worked for my test file. But you could put os.system('rm -rf ~') and it should work no problem.

Basically this vulnerability boils down to a very liberal use of exec() in Project.ExecuteCommand(). Any ideas on how to keep undo working without having to be worried about trading Jokosher files with others?

Laszlo



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]