oss-sec mailing list archives
Re: CVE Request -- ClearSilver (neo_cgi) -- Format string flaw by processing CGI error messages in Python module
From: Colin Watson <cjwatson () debian org>
Date: Sun, 27 Nov 2011 18:51:10 +0000
On Sun, Nov 27, 2011 at 06:21:15PM +0100, Jan Lieskovsky wrote:
a format string flaw was found in the Python CGI Kit (neo_cgi) module of ClearSilver, a language-neutral HTML templating system, processed certain input, leading to Common Gateway Interface (CGI) script errors. A remote attacker could provide a specially-crafted input, which once processed by an application, using the Python language API of ClearSilver neo_cgi module, could lead to that particular application crash, or, potentially arbitrary code execution with the privileges of the user running the application.
Thanks for responding to this. FWIW, I've attached a copy of the original mail I sent to a couple of security@ addresses about this vulnerability. -- Colin Watson [cjwatson () debian org]
--- Begin Message --- From: Colin Watson <cjwatson () ubuntu com>
Date: Thu, 17 Nov 2011 17:12:44 +0000
While doing the Perl 5.14 transition in Ubuntu, I noticed that clearsilver has a -Wformat-security warning (Ubuntu builds with -Werror=format-security by default to catch exactly this kind of problem): gcc -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wall -fPIC -Wall -I.. -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python2.7 -I.. -D_FORTIFY_SOURCE=2 -fPIC -I../ -I/usr/include/python2.7 -c neo_cgi.c -o build/temp.linux-i686-2.7/neo_cgi.o neo_cgi.c: In function 'p_cgi_error': neo_cgi.c:181:3: error: format not a string literal and no format arguments [-Werror=format-security] The effects of this can be reproduced like this: $ python >>> import neo_cgi >>> cgi = neo_cgi.CGI() >>> cgi.error('%s') Status: 500 Content-Type: text/html <html><body> An error occured:<pre>|▒U▒LfU▒LfU▒@▒` ▒`▒y▒, x▒</pre></body></html> In fact, the examples shipped with clearsilver include exception handlers that call cgi.error(s), so if you can manage to get a % into something that will end up in a Python traceback then you can read bits of process memory over the Internet and possibly do a limited amount of modification too (with %n). I have not reported this upstream. http://code.google.com/p/clearsilver/source/browse/trunk/python/neo_cgi.c shows that it has not yet been fixed. Upstream appears to be http://www.clearsilver.net/ / blong () fiction net; perhaps somebody could coordinate with him if you confirm this as a possible vulnerability? Thanks, -- Colin Watson [cjwatson () ubuntu com]
--- End Message ---
Current thread:
- CVE Request -- ClearSilver (neo_cgi) -- Format string flaw by processing CGI error messages in Python module Jan Lieskovsky (Nov 27)
- Re: CVE Request -- ClearSilver (neo_cgi) -- Format string flaw by processing CGI error messages in Python module Colin Watson (Nov 27)
- Re: CVE Request -- ClearSilver (neo_cgi) -- Format string flaw by processing CGI error messages in Python module Kurt Seifried (Nov 28)