Re: [Full-disclosure] GIMP Scriptfu Python Remote Command Execution

[Julius Kivimäki <julius.kivimaki () gmail com>]

Where exactly is the vulnerability here? I am unable to see it myself, it
appears that you are using an eval function to evaluate code which isn't
exactly a security issue.

2012/8/17 research <research () reactionis co uk>

> Summary
> =======
>
> There is an arbitrary command execution vulnerability in the scriptfu
> network server
> console in the GIMP 2.6 branch. It is possible to use a python scriptfu
> command to run
> arbitrary operating-system commands and potentially take full control of
> the
> host.
>
> The advisory is posted here:
>
> http://www.reactionpenetrationtesting.co.uk/GIMP-scriptfu-python-command-exe
> cution.html
>
> CVE number: CVE-2012-4245
> Vendor homepage: http://www.gimp.org/
> Vendor notified: 9/8/2012
>
>
> Affected Products
> =================
>
> GIMP 2.6 branch (Windows or Linux builds)
>
> Non-Affected Products
> =====================
>
> The Scriptfu network server component does not currently work in the GIMP
> 2.8 branch
> (Windows or Linux builds).
>
> Details
> =======
>
> There is an arbitrary command execution vulnerability in the scriptfu
> network server
> console in the GIMP 2.6 branch. It is possible to use a python scriptfu
> command to run
> arbitrary operating-system commands and potentially take full control of
> the
> host.
> The following command will write "foo" to "/tmp/owned":
>
> (python-fu-eval 0 "file = open('/tmp/owned','w')\nfile.write('foo')")
>
>
> Impact
> ======
>
> Successful exploitation of the vulnerability may result in remote command
> execution.
>
> Solution
> ===========
> No solution has been implemented at this stage apart from the workaround
> below.
>
> Workaround
> ===========
>
> Do not enable the scriptfu network server.
> The GIMP development team have stated that this component was not designed
> with security
>  in mind and therefore should not be used in production environments.
>
> Distribution
> ============
>
> In addition to posting on the website, a text version of this notice
> is posted to the following e-mail and Usenet news recipients.
>
>   * bugtraq () securityfocus com
>   * full-disclosure () lists grok org uk
>
> Future updates of this advisory, if any, will be placed on the ReactionIS
> corporate website, but may or may not be actively announced on
> mailing lists or newsgroups. Users concerned about this problem are
> encouraged to check the URL below for any updates:
>
>
> http://www.reactionpenetrationtesting.co.uk/GIMP-scriptfu-python-command-exe
> cution.html
>
>
> ============================================================================
> ====
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/