lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 28 May 2003 12:15:57 +0200
From: Stefan Bethke <s.bethke@...lence.com>
To: vul-serv@...sec.com
Subject: Re: S21SEC-024 - Vignette TCL Injection


Am Montag, 26.05.03, um 16:14 Uhr (Europe/Berlin) schrieb S21SEC:

> The affected Vignette commands are:
> - NEEDS
> - VALID_PATHS
>
> All the TCL templates or scripts, that use this commands, are 
> vulnerable to remote code injection.

This is overly broad. The actual vulnerability depends on the code path 
taken in the NEEDS Tcl procedure.

>                 SET queryString [SHOW HTTP_QUERY_STRING]        <--- 
> (!)

This problematic line was already identified by Bas Scheffers (IIRC).
http://bas.scheffers.net/vgn-needs-login-exploit.html

>         regsub -all {; } [SHOW HTTP_COOKIE] { } cookieString           
>  <--- (!)
>

> -- Lines 1272/1277 (VALID_PATHS command) --

>     system_error "Invalid path \"$_Path\" for template (referer='[SHOW 
> HTTP_REFERER]')"         <--- (!)

> As seen, the value of some unfiltered variables is used and evaluated 
> with the SHOW command. If the external variable contains Vignette 
> code, then arbitrary TCL execution is posible. The affected input 
> variables are:
> - HTTP_QUERY_STRING, converted to queryString in NEEDS command.
> - HTTP_COOKIE, converted to cookieString in NEEDS command.
> - HTTP_REFERER, showed in VALID_PATHS command.

This is incorrect. While this might enable XSS attacks, it does not 
allow for Tcl code injection. The problematic command here is not SHOW, 
but SET.

A (simplified) version of the Vignette SET command would look like this:

proc SET {var val {noeval {}} {
	if {$noeval != "NOEVAL"} {
		set val [EVAL $val]
	}
	namespace eval ::VgnDefaultNamespace [list set $var $val]
}

That is, unless a third argument of "NOEVAL" is passed to the SET 
command, the value will be interpreted as a Vignette Tcl template 
piece, and any Tcl command embedded in it in the form of "[code]" will 
be executed.


> Solution
> --------
>
> Replace the offending SHOW evaluations in stdlib.tcl with directly 
> passed variables. For example:
>
> instead: SET queryString [SHOW HTTP_QUERY_STRING]
> use ==> SET queryString $HTTP_QUERY_STRING

This is incorrect, and will likely break your application.


-- 
Stefan Bethke <s.bethke@...lence.com>
Tallence GmbH, Steinhöft 11, D-20459 Hamburg, Germany
Mobile +49 170 3460140, Office +49 40 36099860, Fax +49 40 36099869

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ