Bug 11830 (CVE-2018-16232)

Summary: Remote shell command injection for authenticated users in backup.cgi
Product: IPFire Reporter: DipSec <reggie.dodd30>
Component: ---Assignee: Michael Tremer <michael.tremer>
Status: CLOSED FIXED QA Contact:
Severity: Security    
Priority: - Unknown - CC: arne.fitzenreiter, reggie.dodd30
Version: 2   
Hardware: unspecified   
OS: Unspecified   
Bug Depends on: 11863    
Bug Blocks:    
Attachments: Command Injections
0001-backup-Sanitise-FILE-parameter.patch
0002-backup-Sanitise-content-of-ADDON-variable.patch

Description DipSec 2018-08-28 06:11:22 UTC 
I am being generic as possible before posting more details so that I can verify if this post is private.
Comment 1 DipSec 2018-08-28 06:16:12 UTC 
Please make this private or tell me where to send a report with more details.

Thanks.
Comment 2 DipSec 2018-08-30 00:56:01 UTC 
Created attachment 617 [details]
Command Injections

There are 2 command injections in backup.cgi. Please see the attached report.
Comment 3 Michael Tremer 2018-08-30 11:23:06 UTC 
Would you be able to send me your name for credit for finding this?
Comment 4 Michael Tremer 2018-08-30 11:31:08 UTC 
Created attachment 618 [details]
0001-backup-Sanitise-FILE-parameter.patch

Please review the two patches attached that will fix this issue.
Comment 5 Michael Tremer 2018-08-30 11:31:22 UTC 
Created attachment 619 [details]
0002-backup-Sanitise-content-of-ADDON-variable.patch
Comment 6 DipSec 2018-08-31 00:31:57 UTC 
Sure,

Please credit Reginald Dodd.

Mitre has assigned CVE-2018-16232 to this issue so refer to this in any advisory.

I will take a look at the patches.
Comment 7 DipSec 2018-08-31 00:50:11 UTC 
Correct me if I'm wrong but $file would still allow command injection like this: file`whoami`.iso
Addon would not be fixed either.
Comment 8 Michael Tremer 2018-08-31 14:41:40 UTC 
(In reply to DipSec from comment #7)
> Correct me if I'm wrong but $file would still allow command injection like
> this: file`whoami`.iso
> Addon would not be fixed either.

No that isn't possible any more. FILE needs to end on .ipf or .iso and then the existance of the file is checked. If it doesn't exist (which `whoami`.iso won't), undef is being returned and the script exists.

I am not aware that perl's (-e "filename") is vulnerable to any shell command execution.
Comment 9 DipSec 2018-09-01 06:53:59 UTC 
I took another look at it and your fixes should correct the issues. It's definitely more secure now than before.
Comment 10 DipSec 2018-09-11 05:31:05 UTC 
Any update on when your proposed fixes will make it into a patch?
Comment 11 Michael Tremer 2018-09-11 09:50:57 UTC 
Patches are available. Since we don't have a release date for the next update, yet, I didn't want to publish this.

Would you be okay with merging the fixes into our public repository and therefore disclose this vulnerability?
Comment 12 DipSec 2018-09-12 00:59:18 UTC 
Unfortunately, I don't have much time to dedicate to this other than checking up on the status.

I hope the fixes make it into your next release.
Comment 13 Michael Tremer 2018-09-13 16:10:31 UTC 
I have just merged the two patches into our development branch and they are scheduled to be released with Core Update 124:

https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=7f6257e0a475681ff243ead159cafee2e03f6265
https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=614764e58af6dd710658fd072ed9b3a1b51f805a

Thank you very much for finding and reporting this! I will make this ticket public now.
Comment 14 Michael Tremer 2018-09-28 15:17:44 UTC 
The update is now available for testing:

https://planet.ipfire.org/post/ipfire-2-21-core-update-124-is-available-for-testing