Re: Comprehensive patch escaping system/open calls in vfs/extfs

[Jakub Jelinek <jakub redhat com>]

On Sat, Aug 21, 2004 at 07:37:06PM +0200, Leonard den Ottolander wrote:
> > --- extfs/a.in      2004-08-21 13:45:50.000000000 +0200
> > +++ extfs/a.in      2004-08-21 19:06:15.458358276 +0200
> > @@ -36,17 +36,20 @@ SWITCH: for ( $ARGV[0] ) {
> >    /mkdir/ && do {
> >      shift; shift;
> >      exit 1 if scalar(@ARGV) != 1;
> > -    system("$mmd $qdisk:/$ARGV[0] >/dev/null");
> > +    $qname = quote($ARGV[0]);
> > +    system("$mmd $qdisk:/$qname >/dev/null");
> >      exit 0; };
> >    /rmdir/ && do {
> >      shift; shift;
> >      exit 1 if scalar(@ARGV) != 1;
> > -    system("$mrd $qdisk:/$ARGV[0] >/dev/null");
> > +    $qname = quote($ARGV[0]);
> > +    system("$mrd $qdisk:/$qname >/dev/null");
> >      exit 0; };
> >    /rm/ && do {
> >      shift; shift;
> >      exit 1 if scalar(@ARGV) != 1;
> > -    system("$mdel $qdisk:/$ARGV[0] >/dev/null");
> > +    $qname = quote($ARGV[0]);
> > +    system("$mdel $qdisk:/$qname >/dev/null");
> >      exit 0; };
> >    /copyout/ && do {
> >      shift; shift;
>
> Nope. The value of $ARGV[0] is already known because of the SWITCH.

There are two shifts in between.
Try:
strace -f /usr/share/mc/extfs/a mkdir a 'touch `date` me' 2>&1 | grep exec
execve("/usr/share/mc/extfs/a", ["/usr/share/mc/extfs/a", "mkdir", "a", "touch `date` me"], [/* 32 vars */]) 
= 0
[pid 24053] execve("/bin/sh", ["sh", "-c", "mmd a:/touch `date` me >/dev/nul"...], [/* 34 vars */]) = 0
[pid 24055] execve("/bin/date", ["date"], [/* 33 vars */]) = 0
[pid 24056] execve("/usr/bin/mmd", ["mmd", "a:/touch", "Sat", "Aug", "21", "19:45:57", "CEST", "2004", "me"], 
[/* 33 vars */]) = 0

while with the patched a:
strace -f /tmp/a mkdir a 'touch `date` me' 2>&1 | grep exec
execve("/tmp/a", ["/tmp/a", "mkdir", "a", "touch `date` me"], [/* 32 vars */]) = 0
[pid 24061] execve("/bin/sh", ["sh", "-c", "mmd a:/touch\\ \\`date\\`\\ me >/dev"...], [/* 34 vars */]) = 0
[pid 24062] execve("/usr/bin/mmd", ["mmd", "a:/touch `date` me"], [/* 33 vars */]) = 0

As how it could be exploited, suppose a hostile collegue gives you a
flopy with a file
veeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeery`rm -rf ~/`loooooooooooooooooooooooooooooongfilename
on it.
You press F8 on it and there you go.

        Jakub