oss-sec mailing list archives
Privsec vuln in beep / Code execution in GNU patch
From: Hanno Böck <hanno () hboeck de>
Date: Fri, 6 Apr 2018 08:52:43 +0200
Hi, There was a joke webpage about a vulnerability in beep a few days ago: http://holeybeep.ninja/ There's also a corresponding Debian Advisory: https://lists.debian.org/debian-security-announce/2018/msg00089.html Neither have any technical details. CVE is CVE-2018-0492. If anyone knows the background of this please share it. However it turned out that on that joke holey beep webpage there's a patch with a hidden easter egg that's actually a vulnerability in GNU patch. GNU patch supports a legacy "ed" format for patches and that allows executing external commands. It's been reported to GNU patch now here: https://savannah.gnu.org/bugs/index.php?53566 CVE is CVE-2018-1000156. (says an anonymous commenter...) A minimal poc looks like this: --- a 2018-13-37 13:37:37.000000000 +0100 +++ b 2018-13-37 13:38:38.000000000 +0100 1337a 1,112d !id>~/pwn.lol It looks like FreeBSD and OpenBSD have fixed something alike in 2015: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/013_patch.patch.sig -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Current thread:
- Privsec vuln in beep / Code execution in GNU patch Hanno Böck (Apr 05)
- Re: Privsec vuln in beep / Code execution in GNU patch Sebastian Krahmer (Apr 06)
- Re: Privsec vuln in beep / Code execution in GNU patch Jakub Wilk (Apr 06)