Ciao Roberto,
On 12/28/18 5:20 AM, Roberto C. Sánchez wrote:
> Hi Tomas,
>
> On Mon, Dec 24, 2018 at 08:47:55PM +0000, Tomas Bortoli wrote:
>> Hi Robert,
>>
>> Your patch seems not to be definitive against CVE-2018-19518.
>> This because checking for spaces won't be enough if an attacker uses some
>> "bash trick" to get a space...
>> In fact you can get a space by not typing it, with something like this:
>>
>> a=`date`;echo${a:3:1}asd
>>
>> Will print "asd".. it gets the space from a substring of "a".
>>
> I tried this along with a few different variants and none of them
> produced the vulnerability described in the CVE. I am confident that an
> actual space is required in order to exploit the vulnerability.
Yeah, it makes sense. I agree.
>
> On Tue, Dec 25, 2018 at 07:12:38PM +0000, Tomas Bortoli wrote:
>> Hi Roberto,
>>
>> On 12/24/18 10:40 PM, Roberto C. Sánchez wrote:
>>> There are two command templates involved in this section of code:
>>> rshcommand and sshcommand. The two for loops each operate on a
>>> different command template.
>> Ah ahn.. I missed that single byte difference, thanks.
>>
>>> Yes, the description could certainly use more detail. That said, I did
>>> include this in my original post:
>>>
>>> I also wondered whether it was possible to cause the vulnerability
>>> without a space in the hostname (somewhat related to the first
>>> question). In any event, I concluded that the question of whether
>>> something is a valid hostname might be a bit complex to tackle and
>>> despite numerous attempts I was not able to exploit the
>>> vulnerability without the space between the host name and the
>>> command switch '-'.
>>>
>>> I suppose it would be possible to apply the approach of counting tokens
>>> to the host variable to ensure that it only contains a single token.
>>> However, I do not think that is any better or worse than the approach I
>>> came up with.
>>>
>> What about "shell escaping" the host name? Not sure about escaping the
>> other parameters too..but that shouldn't harm.
>> It should be the best security practice against command injection, AFAIK.
>>
> You have lost me here. First, I am not certain what you mean by "shell
> escaping" in this context. Second, would this be something that is done
> when the configuration is read or when the rsh/ssh command is to be
> executed? Third, is the shell escaping you describe possible without
> introducing additional library dependencies?
>
> Without knowing for certain what you mean, I would think that shell
> escaping (like URL encoding/decoding, for instance) would best be
> handled by a purpose-built library. However, if there is a way to
> accomplish what you describe without such an additional component, I
> would interested to know.
>
By shell escaping I meant to escape all the special shell characters
within the input. That'd probably need additional dependencies or a neat
sanitizer function.
But I was wrong, it's unnecessary as there's no shell interpreter there
but it's just using `execv` to get rsh/ssh running.
I agree that preventing the injection of spaces will prevent the
injection of additional parameters and therefore the execution of
unexpected commands.
Br,
Tomas
