[Koha-bugs] [Bug 13009] New: ImportExportFramework.pm should call system() with an array of params

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Mon Sep 29 21:25:49 CEST 2014 

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13009

            Bug ID: 13009
           Summary: ImportExportFramework.pm should call system() with an
                    array of params
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P5 - low
         Component: Architecture, internals, and plumbing
          Assignee: gmcharlt at gmail.com
          Reporter: tomascohen at gmail.com
        QA Contact: testopia at bugs.koha-community.org

It seems we have an attack vector for the shellshock bash vulnerability.

I wrote this sample script:

#!/usr/bin/perl
# file hack.pl

use Modern::Perl;
use CGI;

my $query = new CGI;
print $query->header();

system("echo -e 'hola tomas'");

1;

and called it like this:

$ curl -H 'User-Agent: () { :;}; /usr/bin/touch /tmp/hacked'
http://koha-dev.biblioadmin/cgi-bin/koha/hack.pl

It successfuly created the /tmp/hacked file. This means that any call on
system() passing the command and parameters on the same string is parsed by the
default /bin/sh and then vulnerable to the bug. The bug isn't exploitable if
the system() call looks like this (i.e. no /bin/sh use).

system("echo","-e","hola tomas");

The only place we have that usage pattern, is on C4::ImportExportFramework:

C4/ImportExportFramework.pm:562:  system("cd $tempdir && $cmd -r new.ods ./");
C4/ImportExportFramework.pm:585:  system("rm -rf $tempdir");
C4/ImportExportFramework.pm:695:  system("rm -rf $tempdir");
C4/ImportExportFramework.pm:734:  system("$cmd $filename -d $tempdir");

The vulnerability would difficult to exploit:
- It needs unpatched bash
- It needs bash as the default /bin/sh
- It needs an authenticated user with permissions to edit MARC frameworks.

I haven't written a PoC of the exploit that includes authorization requirement,
because the bug is pretty straightforward.

To put it clear, system("rm -rf $tempdir"); makes the Perl interpreter to call
/bin/sh, and it then inherits the CGI params, and then bash is exploited.

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list