[jokosher-devel] Jokosher Security Vulnerability
- From: Laszlo Pandy <laszlok2 gmail com>
- To: Jokosher gnome <jokosher-devel-list gnome org>
- Subject: [jokosher-devel] Jokosher Security Vulnerability
- Date: Tue, 26 Sep 2006 22:42:45 -0400
Using a specially crafted Jokosher Project file, a malicious third party
(whomever gave you the file) can run arbitrary code. This isn't a big
issue right now since we only open our own .jokosher files, but it's
quite scary nonetheless.
In the XML, under the "<Undo>" tag, place this line:
<Command value="P __class__; print 'security hole'; import os;
os.remove('/home/laszlo/testfile')"/>
The P __class__ part is just because our undo function requires either
P, I or E to be the first character. It then changes P to "project."
puts the function call after it. I just used __class__ cause it allows
us to not do anything without throwing an exception.
All the use has to do it hit Edit->Undo or Ctrl-Z and the command will
execute.
The part following it is where you can do whatever you want. I tried
os.remove() and it worked for my test file. But you could put
os.system('rm -rf ~') and it should work no problem.
Basically this vulnerability boils down to a very liberal use of exec()
in Project.ExecuteCommand(). Any ideas on how to keep undo working
without having to be worried about trading Jokosher files with others?
Laszlo
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]