[Koha-bugs] [Bug 13009] New: ImportExportFramework.pm should call system() with an array of params
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Sep 29 21:25:49 CEST 2014
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13009
Bug ID: 13009
Summary: ImportExportFramework.pm should call system() with an
array of params
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P5 - low
Component: Architecture, internals, and plumbing
Assignee: gmcharlt at gmail.com
Reporter: tomascohen at gmail.com
QA Contact: testopia at bugs.koha-community.org
It seems we have an attack vector for the shellshock bash vulnerability.
I wrote this sample script:
#!/usr/bin/perl
# file hack.pl
use Modern::Perl;
use CGI;
my $query = new CGI;
print $query->header();
system("echo -e 'hola tomas'");
1;
and called it like this:
$ curl -H 'User-Agent: () { :;}; /usr/bin/touch /tmp/hacked'
http://koha-dev.biblioadmin/cgi-bin/koha/hack.pl
It successfuly created the /tmp/hacked file. This means that any call on
system() passing the command and parameters on the same string is parsed by the
default /bin/sh and then vulnerable to the bug. The bug isn't exploitable if
the system() call looks like this (i.e. no /bin/sh use).
system("echo","-e","hola tomas");
The only place we have that usage pattern, is on C4::ImportExportFramework:
C4/ImportExportFramework.pm:562: system("cd $tempdir && $cmd -r new.ods ./");
C4/ImportExportFramework.pm:585: system("rm -rf $tempdir");
C4/ImportExportFramework.pm:695: system("rm -rf $tempdir");
C4/ImportExportFramework.pm:734: system("$cmd $filename -d $tempdir");
The vulnerability would difficult to exploit:
- It needs unpatched bash
- It needs bash as the default /bin/sh
- It needs an authenticated user with permissions to edit MARC frameworks.
I haven't written a PoC of the exploit that includes authorization requirement,
because the bug is pretty straightforward.
To put it clear, system("rm -rf $tempdir"); makes the Perl interpreter to call
/bin/sh, and it then inherits the CGI params, and then bash is exploited.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list