oss-sec mailing list archives

Re: Re: CVE request: lsyncd command injection

From: Sven Schwedas <sven.schwedas () tao at>
Date: Wed, 26 Nov 2014 13:22:43 +0100

On 2014-11-26 00:18, Ángel González wrote:

On 20-11-2014 Mitre wrote:

There is a command injection flaw in lsyncd, a file change monitoring
and synchronization daemon:

https://github.com/axkibe/lsyncd/issues/220

https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227


Use CVE-2014-8990. The scope of this CVE ID includes both:

  1. code execution with ` characters or other characters that are
     special to a shell
  2. denial of service scenarios in which a user with write access
     to a local directory uses special characters to make
     synchronization fail (might have security relevance in some
     scenarios)

The MITRE CVE team does not have a Lua expert. The code change adds:

  local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
  local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')

This does not seem to be the typical fix approach for unsafe input to
a shell. Has anyone concluded that this is an incomplete fix that ought
to be modified before the 2.1.6 release?



It is indeed an incomplete fix:

* The gsub ('%$','\\%$') works in lua5.1, but under lua5.2 the second %
character makes lsyncd fail with the error "stdin:1: invalid use of '%'
in replacement string". Thus allowing a complete denial of service


* Not all metacharacters are filtered, so command execution is still
present. In particular, the escaped characters can be prefixed with a
backslash to bypass the filter.


The attached patch should hopefully solve these issues.


Thank you. I've tested the patch locally and it appears to be working
correctly (mine was more a quick hack to get our own lsyncd instances
running again).
It also has been merged upstream:

https://github.com/axkibe/lsyncd/commit/e9ffda07f0145f50f2756f8ee3fb0775b455122b


Attached is the patch adapted for Wheezy's lsyncd 2.0.7-3.

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas () tao at | +43 (0)680 301 7167
http://software.tao.at

Attachment: 0001-Properly-sanitize-mv-parameters-CVE-2014-8990.patch
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

CVE request: lsyncd command injection Murray McAllister (Nov 18)
- Re: CVE request: lsyncd command injection cve-assign (Nov 19)
  - Re: Re: CVE request: lsyncd command injection Michael Samuel (Nov 21)
  - Re: Re: CVE request: lsyncd command injection Ángel González (Nov 25)
    - Re: Re: CVE request: lsyncd command injection Sven Schwedas (Nov 26)