Re: Re: CVE request: lsyncd command injection

[Ángel González <angel () 16bits net>]

On 20-11-2014 Mitre wrote:
> > There is a command injection flaw in lsyncd, a file change monitoring
> > and synchronization daemon:
> >
> > https://github.com/axkibe/lsyncd/issues/220
> >
> > https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52
> >
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227
>
> Use CVE-2014-8990. The scope of this CVE ID includes both:
>
>   1. code execution with ` characters or other characters that are
>      special to a shell
>   2. denial of service scenarios in which a user with write access
>      to a local directory uses special characters to make
>      synchronization fail (might have security relevance in some
>      scenarios)
>
> The MITRE CVE team does not have a Lua expert. The code change adds:
>
>   local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
>   local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
>
> This does not seem to be the typical fix approach for unsafe input to
> a shell. Has anyone concluded that this is an incomplete fix that ought
> to be modified before the 2.1.6 release?


It is indeed an incomplete fix:

* The gsub ('%$','\\%$') works in lua5.1, but under lua5.2 the second %
character makes lsyncd fail with the error "stdin:1: invalid use of '%'
in replacement string". Thus allowing a complete denial of service


* Not all metacharacters are filtered, so command execution is still
present. In particular, the escaped characters can be prefixed with a
backslash to bypass the filter.


The attached patch should hopefully solve these issues.

Attachment: 0001-Properly-sanitize-mv-parameters-CVE-2014-8990.patch
Description: