TPP template arbitrary code execution

2013.06.22
Risk: High
Local: No
Remote: Yes
CWE: CWE-94


Ogólna skala CVSS: 6.8/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

A security flaw was found in the way tpp, a ncurses-based presentation tool, processed TPP templates containing --exec clause (input provided as an argument of the --exec clause would be immediately executed without requesting a second confirmation from the user). A remote attacker could provide a specially-crafted text presentation program (TPP) template that, when processed with the tpp binary would lead to arbitrary code execution with the privileges of the user running the tpp executable. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706644 [2] http://patch-tracker.debian.org/patch/series/view/tpp/1.3.1-3/15-optional-exec.patch (Debian distribution patch) [3] https://bugzilla.redhat.com/show_bug.cgi?id=976684 Upstream patch / GitHub link: [4] https://github.com/xtaran/tpp/commit/350aafbd9a3256f6d479dacb9740bf3f0b9a3fc3 Index: tpp/tpp.rb =================================================================== --- tpp.orig/tpp.rb 2013-06-12 22:13:55.000000000 +0200 +++ tpp/tpp.rb 2013-06-12 22:15:08.000000000 +0200 @@ -725,9 +725,13 @@ end def do_exec(cmdline) - rc = Kernel.system(cmdline) - if not rc then - # @todo: add error message + if $execok then + rc = Kernel.system(cmdline) + if not rc then + # @todo: add error message + end + else + @screen.addstr("--exec disabled by default for security reasons. Use option -x to enable it.") end end @@ -1683,6 +1687,7 @@ $stderr.puts "\t -t <type>\tset filetype <type> as output format" $stderr.puts "\t -o <file>\twrite output to file <file>" $stderr.puts "\t -s <seconds>\twait <seconds> seconds between slides (with -t autoplay)" + $stderr.puts "\t -x\t\tallow parsing of --exec in input files" $stderr.puts "\t --version\tprint the version" $stderr.puts "\t --help\t\tprint this help" $stderr.puts "\n\t currently available types: ncurses (default), autoplay, latex, txt" @@ -1699,6 +1704,7 @@ output = nil type = "ncurses" time = 1 +$execok = nil skip_next = false @@ -1720,6 +1726,8 @@ elsif ARGV[i] == "-s" then time = ARGV[i+1].to_i skip_next = true + elsif ARGV[i] == "-x" then + $execok = 1 elsif input == nil then input = ARGV[i] end Index: tpp/doc/tpp.1 =================================================================== --- tpp.orig/doc/tpp.1 2013-06-12 22:13:55.000000000 +0200 +++ tpp/doc/tpp.1 2013-06-12 22:13:55.000000000 +0200 @@ -20,6 +20,8 @@ .TP \-l output.tex input.tpp converts tpp slides into tex .TP +\-x allow usage of "\-\-exec" +.TP \-v/\-\-version display version number .SH KEYS

Referencje:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706644
https://bugzilla.redhat.com/show_bug.cgi?id=976684
https://github.com/xtaran/tpp/commit/350aafbd9a3256f6d479dacb9740bf3f0b9a3fc3


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top