lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Aug 2012 13:26:13 +0300
From: Julius Kivimäki <julius.kivimaki@...il.com>
To: research <research@...ctionis.co.uk>
Cc: vuln@...urity.nnov.ru, vuln <vuln@...unia.com>, news@...uriteam.com,
	secalert@...urityreason.com, submit@...ecurity.com,
	bugs@...uritytracker.com,
	full-disclosure <full-disclosure@...ts.grok.org.uk>,
	bugtraq <bugtraq@...urityfocus.com>, submissions@...ketstormsecurity.org,
	oss-security@...ts.openwall.com, moderators@...db.org
Subject: Re: GIMP Scriptfu Python Remote Command Execution

Where exactly is the vulnerability here? I am unable to see it myself, it
appears that you are using an eval function to evaluate code which isn't
exactly a security issue.

2012/8/17 research <research@...ctionis.co.uk>

> Summary
> =======
>
> There is an arbitrary command execution vulnerability in the scriptfu
> network server
> console in the GIMP 2.6 branch. It is possible to use a python scriptfu
> command to run
> arbitrary operating-system commands and potentially take full control of
> the
> host.
>
> The advisory is posted here:
>
> http://www.reactionpenetrationtesting.co.uk/GIMP-scriptfu-python-command-exe
> cution.html
>
> CVE number: CVE-2012-4245
> Vendor homepage: http://www.gimp.org/
> Vendor notified: 9/8/2012
>
>
> Affected Products
> =================
>
> GIMP 2.6 branch (Windows or Linux builds)
>
> Non-Affected Products
> =====================
>
> The Scriptfu network server component does not currently work in the GIMP
> 2.8 branch
> (Windows or Linux builds).
>
> Details
> =======
>
> There is an arbitrary command execution vulnerability in the scriptfu
> network server
> console in the GIMP 2.6 branch. It is possible to use a python scriptfu
> command to run
> arbitrary operating-system commands and potentially take full control of
> the
> host.
> The following command will write "foo" to "/tmp/owned":
>
> (python-fu-eval 0 "file = open('/tmp/owned','w')\nfile.write('foo')")
>
>
> Impact
> ======
>
> Successful exploitation of the vulnerability may result in remote command
> execution.
>
> Solution
> ===========
> No solution has been implemented at this stage apart from the workaround
> below.
>
> Workaround
> ===========
>
> Do not enable the scriptfu network server.
> The GIMP development team have stated that this component was not designed
> with security
>  in mind and therefore should not be used in production environments.
>
> Distribution
> ============
>
> In addition to posting on the website, a text version of this notice
> is posted to the following e-mail and Usenet news recipients.
>
>   * bugtraq () securityfocus com
>   * full-disclosure () lists grok org uk
>
> Future updates of this advisory, if any, will be placed on the ReactionIS
> corporate website, but may or may not be actively announced on
> mailing lists or newsgroups. Users concerned about this problem are
> encouraged to check the URL below for any updates:
>
>
> http://www.reactionpenetrationtesting.co.uk/GIMP-scriptfu-python-command-exe
> cution.html
>
>
> ============================================================================
> ====
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists