TPP template arbitrary code execution

2013.06.22

Credit: Jan Lieskovsky

Risk: High

Local: No

Remote: Yes

CVE: CVE-2013-2208

CWE: CWE-94

Ogólna skala CVSS: 6.8/10

Znaczenie: 6.4/10

Łatwość wykorzystania: 8.6/10

Wymagany dostęp: Zdalny

Złożoność ataku: Średnia

Autoryzacja: Nie wymagana

Wpływ na poufność: Częściowy

Wpływ na integralność: Częściowy

Wpływ na dostępność: Częściowy

A security flaw was found in the way tpp, a ncurses-based presentation tool,
processed TPP templates containing --exec clause (input provided as an argument
of the --exec clause would be immediately executed without requesting a second
confirmation from the user). A remote attacker could provide a specially-crafted
text presentation program (TPP) template that, when processed with the tpp binary
would lead to arbitrary code execution with the privileges of the user running
the tpp executable.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706644
[2] http://patch-tracker.debian.org/patch/series/view/tpp/1.3.1-3/15-optional-exec.patch
    (Debian distribution patch)
[3] https://bugzilla.redhat.com/show_bug.cgi?id=976684

Upstream patch / GitHub link:
[4] https://github.com/xtaran/tpp/commit/350aafbd9a3256f6d479dacb9740bf3f0b9a3fc3

Index: tpp/tpp.rb
===================================================================
--- tpp.orig/tpp.rb	2013-06-12 22:13:55.000000000 +0200
+++ tpp/tpp.rb	2013-06-12 22:15:08.000000000 +0200
@@ -725,9 +725,13 @@
   end
 
   def do_exec(cmdline)
-    rc = Kernel.system(cmdline)
-    if not rc then
-      # @todo: add error message
+    if $execok then
+      rc = Kernel.system(cmdline)
+      if not rc then
+        # @todo: add error message
+      end
+    else
+      @screen.addstr("--exec disabled by default for security reasons. Use option -x to enable it.")
     end
   end
 
@@ -1683,6 +1687,7 @@
   $stderr.puts "\t -t <type>\tset filetype <type> as output format"
   $stderr.puts "\t -o <file>\twrite output to file <file>"
   $stderr.puts "\t -s <seconds>\twait <seconds> seconds between slides (with -t autoplay)"
+  $stderr.puts "\t -x\t\tallow parsing of --exec in input files"
   $stderr.puts "\t --version\tprint the version"
   $stderr.puts "\t --help\t\tprint this help"
   $stderr.puts "\n\t currently available types: ncurses (default), autoplay, latex, txt"
@@ -1699,6 +1704,7 @@
 output = nil
 type = "ncurses"
 time = 1
+$execok = nil
 
 skip_next = false
 
@@ -1720,6 +1726,8 @@
     elsif ARGV[i] == "-s" then
       time = ARGV[i+1].to_i
       skip_next = true
+    elsif ARGV[i] == "-x" then
+      $execok = 1
     elsif input == nil then
       input = ARGV[i]
     end
Index: tpp/doc/tpp.1
===================================================================
--- tpp.orig/doc/tpp.1	2013-06-12 22:13:55.000000000 +0200
+++ tpp/doc/tpp.1	2013-06-12 22:13:55.000000000 +0200
@@ -20,6 +20,8 @@
 .TP
 \-l output.tex input.tpp converts tpp slides into tex 
 .TP
+\-x allow usage of "\-\-exec"
+.TP
 \-v/\-\-version display version number
 
 .SH KEYS

Referencje:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706644

https://bugzilla.redhat.com/show_bug.cgi?id=976684

https://github.com/xtaran/tpp/commit/350aafbd9a3256f6d479dacb9740bf3f0b9a3fc3

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

TPP template arbitrary code execution

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.