| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 Aug 2012 13:26:13 +0300
From: Julius Kivimäki <julius.kivimaki@...il.com>
To: research <research@...ctionis.co.uk>
Cc: vuln@...urity.nnov.ru, vuln <vuln@...unia.com>, news@...uriteam.com,
secalert@...urityreason.com, submit@...ecurity.com,
bugs@...uritytracker.com,
full-disclosure <full-disclosure@...ts.grok.org.uk>,
bugtraq <bugtraq@...urityfocus.com>, submissions@...ketstormsecurity.org,
oss-security@...ts.openwall.com, moderators@...db.org
Subject: Re: GIMP Scriptfu Python Remote Command Execution
Where exactly is the vulnerability here? I am unable to see it myself, it
appears that you are using an eval function to evaluate code which isn't
exactly a security issue.
2012/8/17 research <research@...ctionis.co.uk>
> Summary
> =======
>
> There is an arbitrary command execution vulnerability in the scriptfu
> network server
> console in the GIMP 2.6 branch. It is possible to use a python scriptfu
> command to run
> arbitrary operating-system commands and potentially take full control of
> the
> host.
>
> The advisory is posted here:
>
> http://www.reactionpenetrationtesting.co.uk/GIMP-scriptfu-python-command-exe
> cution.html
>
> CVE number: CVE-2012-4245
> Vendor homepage: http://www.gimp.org/
> Vendor notified: 9/8/2012
>
>
> Affected Products
> =================
>
> GIMP 2.6 branch (Windows or Linux builds)
>
> Non-Affected Products
> =====================
>
> The Scriptfu network server component does not currently work in the GIMP
> 2.8 branch
> (Windows or Linux builds).
>
> Details
> =======
>
> There is an arbitrary command execution vulnerability in the scriptfu
> network server
> console in the GIMP 2.6 branch. It is possible to use a python scriptfu
> command to run
> arbitrary operating-system commands and potentially take full control of
> the
> host.
> The following command will write "foo" to "/tmp/owned":
>
> (python-fu-eval 0 "file = open('/tmp/owned','w')\nfile.write('foo')")
>
>
> Impact
> ======
>
> Successful exploitation of the vulnerability may result in remote command
> execution.
>
> Solution
> ===========
> No solution has been implemented at this stage apart from the workaround
> below.
>
> Workaround
> ===========
>
> Do not enable the scriptfu network server.
> The GIMP development team have stated that this component was not designed
> with security
> in mind and therefore should not be used in production environments.
>
> Distribution
> ============
>
> In addition to posting on the website, a text version of this notice
> is posted to the following e-mail and Usenet news recipients.
>
> * bugtraq () securityfocus com
> * full-disclosure () lists grok org uk
>
> Future updates of this advisory, if any, will be placed on the ReactionIS
> corporate website, but may or may not be actively announced on
> mailing lists or newsgroups. Users concerned about this problem are
> encouraged to check the URL below for any updates:
>
>
> http://www.reactionpenetrationtesting.co.uk/GIMP-scriptfu-python-command-exe
> cution.html
>
>
> ============================================================================
> ====
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists