lxr-developer

[Lxr-dev] Random file opening vulnerability in LXR

[Arne G. G. <ar...@li...>]

Hi all,

I've been alerted of a vulnerability in LXR 0.3 allowing an attacker
to read random files on the hosting system as the http user.  

I've implemented a stop-gap fix on the lxr.linux.no site by patching
lib/LXR/Config.pm as follows:

--- lib/LXR/Config.pm   1998/04/30 11:58:17     1.3
+++ lib/LXR/Config.pm   2003/03/10 09:13:32
@@ -155,7 +155,9 @@
 
 sub varexpand {
     my ($self, $exp) = @_;
-    $exp =~ s/\$\{?(\w+)\}?/$self->{variable}->{$1}/g;
+    $exp =~ s{\$\{?(\w+)\}?}{
+       $self->{variable}->{$1} =~ /^([a-zA-Z0-9\.\-]*)$/ ? $1 : ''
+       }ge;
     return($exp);
 }


It looks like 0.9.2 is vulnerable, as well.  Malcolm, do you want to
publish updates to the download images on the sourceforge site?


							Arne.

Re: [Lxr-dev] Random file opening vulnerability in LXR

[Malcolm B. <ma...@br...>]

Hi Arne,

Yes, I do want to publish updates.  I'll do that tonight.

For 0.9.2, I think we might need to look at how all the file accesses 
are done, plus what we do with the other untrusted input. The problem is 
deciding what the safe set is, because there have been plenty of reports 
already that we're too strict in httpwash.

I think the right thing is to only block ".." and force the filename to 
be limited to the source root, and make sure we're not using the open() 
call that interprets the filename in any way.

But really this needs a security audit - any volunteers?

Cheers,

Malcolm

Arne Georg Gleditsch wrote:

>Hi all,
>
>I've been alerted of a vulnerability in LXR 0.3 allowing an attacker
>to read random files on the hosting system as the http user.  
>
>I've implemented a stop-gap fix on the lxr.linux.no site by patching
>lib/LXR/Config.pm as follows:
>
>--- lib/LXR/Config.pm   1998/04/30 11:58:17     1.3
>+++ lib/LXR/Config.pm   2003/03/10 09:13:32
>@@ -155,7 +155,9 @@
> 
> sub varexpand {
>     my ($self, $exp) = @_;
>-    $exp =~ s/\$\{?(\w+)\}?/$self->{variable}->{$1}/g;
>+    $exp =~ s{\$\{?(\w+)\}?}{
>+       $self->{variable}->{$1} =~ /^([a-zA-Z0-9\.\-]*)$/ ? $1 : ''
>+       }ge;
>     return($exp);
> }
>
>
>It looks like 0.9.2 is vulnerable, as well.  Malcolm, do you want to
>publish updates to the download images on the sourceforge site?
>
>
>							Arne.
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Lxr-developer mailing list
>Lxr...@li...
>https://lists.sourceforge.net/lists/listinfo/lxr-developer
>
>  
>

Re: [Lxr-dev] Random file opening vulnerability in LXR

[Giacomo A. C. <ca...@de...>]

Malcolm Box wrote:
> Hi Arne,
> 
> Yes, I do want to publish updates.  I'll do that tonight.
> 
> For 0.9.2, I think we might need to look at how all the file accesses 
> are done, plus what we do with the other untrusted input. The problem is 
> deciding what the safe set is, because there have been plenty of reports 
> already that we're too strict in httpwash.
> 
> I think the right thing is to only block ".." and force the filename to 
> be limited to the source root, and make sure we're not using the open() 
> call that interprets the filename in any way.
> 
> But really this needs a security audit - any volunteers?

If I understand correctly the vulnerability, it happen
only because of the expantion on $v and $a, but
the all possible values are already stored
in some configuration files, so is it simple to
chech that $v and $a are in the correct set of values,
and that to manually (e.g. a simple string substitution)
the variable expantion, instead of the normal perl
expantion.

BTW, FYI, the vulnerability is a candidate CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0156


BTW I view that some big project use LXR, whould you publish a
list of such servers? If you are interested, I will try
to compile the list.

ciao
	giacomo

Re: [Lxr-dev] Random file opening vulnerability in LXR

[Malcolm B. <ma...@br...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Hi Giacomo,

Giacomo A. Catenazzi wrote:

| If I understand correctly the vulnerability, it happen
| only because of the expantion on $v and $a, but
| the all possible values are already stored
| in some configuration files, so is it simple to
| chech that $v and $a are in the correct set of values,
| and that to manually (e.g. a simple string substitution)
| the variable expantion, instead of the normal perl
| expantion.

Ah, I see how that could cause it, because we go and read 
$root/$v/$filename.  Should be an easy fix.

| BTW, FYI, the vulnerability is a candidate CVE:
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0156

Thanks - I'll keep an eye on it.

| BTW I view that some big project use LXR, whould you publish a
| list of such servers? If you are interested, I will try
| to compile the list.


YES!! I'd be very interested in such a list, both to update the (woeful) 
LXR homepage at http://lxr.sf.net, and to give us a good idea of who to 
contact when 1.0 hits the shelves (real soon now, I promise :-)

If anyone feels like updating the LXR website, they'd be very welcome...

Malcolm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iEYEARECAAYFAj57CTEACgkQNFSEWhVtP3ZWqwCfahjppzw82Ru4ZhRHkjBscKxE
MBIAn3/qA96UZEOMRkBLVKyQdRGBK1Pu
=il9l
-----END PGP SIGNATURE-----