oss-sec mailing list archives

Re: CVE Request -- ClearSilver (neo_cgi) -- Format string flaw by processing CGI error messages in Python module

From: Colin Watson <cjwatson () debian org>
Date: Sun, 27 Nov 2011 18:51:10 +0000

On Sun, Nov 27, 2011 at 06:21:15PM +0100, Jan Lieskovsky wrote:

  a format string flaw was found in the Python CGI Kit (neo_cgi)
module of ClearSilver, a language-neutral HTML templating system,
processed certain input, leading to Common Gateway Interface (CGI)
script errors. A remote attacker could provide a specially-crafted
input, which once processed by an application, using the Python
language API of ClearSilver neo_cgi module, could lead to that
particular application crash, or, potentially arbitrary code
execution with the privileges of the user running the application.


Thanks for responding to this.  FWIW, I've attached a copy of the
original mail I sent to a couple of security@ addresses about this
vulnerability.

-- 
Colin Watson                                       [cjwatson () debian org]

--- Begin Message --- From: Colin Watson <cjwatson () ubuntu com>
Date: Thu, 17 Nov 2011 17:12:44 +0000

While doing the Perl 5.14 transition in Ubuntu, I noticed that
clearsilver has a -Wformat-security warning (Ubuntu builds with
-Werror=format-security by default to catch exactly this kind of
problem):

  gcc -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -O2 -fstack-protector 
--param=ssp-buffer-size=4 -Wformat -Wformat-security -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Wformat-security -Werror=format-security -Wall -fPIC -Wall -I.. -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python2.7 
-I.. -D_FORTIFY_SOURCE=2 -fPIC -I../ -I/usr/include/python2.7 -c neo_cgi.c -o build/temp.linux-i686-2.7/neo_cgi.o
  neo_cgi.c: In function 'p_cgi_error':
  neo_cgi.c:181:3: error: format not a string literal and no format arguments [-Werror=format-security]

The effects of this can be reproduced like this:

  $ python
  >>> import neo_cgi
  >>> cgi = neo_cgi.CGI()
  >>> cgi.error('%s')
  Status: 500
  Content-Type: text/html
  
  <html><body>
  An error occured:<pre>|▒U▒LfU▒LfU▒@▒`   ▒`▒y▒, x▒</pre></body></html>

In fact, the examples shipped with clearsilver include exception
handlers that call cgi.error(s), so if you can manage to get a % into
something that will end up in a Python traceback then you can read bits
of process memory over the Internet and possibly do a limited amount of
modification too (with %n).

I have not reported this upstream.
http://code.google.com/p/clearsilver/source/browse/trunk/python/neo_cgi.c
shows that it has not yet been fixed.  Upstream appears to be
http://www.clearsilver.net/ / blong () fiction net; perhaps somebody could
coordinate with him if you confirm this as a possible vulnerability?

Thanks,

-- 
Colin Watson                                       [cjwatson () ubuntu com]

--- End Message ---

Current thread:

CVE Request -- ClearSilver (neo_cgi) -- Format string flaw by processing CGI error messages in Python module Jan Lieskovsky (Nov 27)
- Re: CVE Request -- ClearSilver (neo_cgi) -- Format string flaw by processing CGI error messages in Python module Colin Watson (Nov 27)
- Re: CVE Request -- ClearSilver (neo_cgi) -- Format string flaw by processing CGI error messages in Python module Kurt Seifried (Nov 28)