summaryrefslogtreecommitdiff
path: root/SECURITY
diff options
context:
space:
mode:
authorSteve Kemp <steve@steve.org.uk>2012-11-18 15:30:38 +0000
committerSteve Kemp <steve@steve.org.uk>2012-11-18 15:30:38 +0000
commit501a2ed38abe496ab0314e053d7e253c09ccd963 (patch)
treeecfc29da618faca11872434321bdb1eaa9e9be6c /SECURITY
parent1eb13146641df17140da538800ed12116a7d98b0 (diff)
Demonstrate vulnerability.
Diffstat (limited to 'SECURITY')
-rw-r--r--SECURITY21
1 files changed, 8 insertions, 13 deletions
diff --git a/SECURITY b/SECURITY
index 78779fc..b0e0b90 100644
--- a/SECURITY
+++ b/SECURITY
@@ -12,29 +12,24 @@ custodian-enqueue
custodian-dequeue
-----------------
- Two tests pass arguments from the configuration file to the shell:
+Two tests pass arguments from the configuration file to the shell:
ping
http/https
- The hostname used to ping, and the url, are both passed directly to the shell with no encoding or sanitizing.
-
- This means a test such as the following is a risk:
-
- $(touch /tmp/blah) must run ping.
-
- HOWEVER the hostname will pass the following regexp:
+The hostname used to ping, and the url, are both passed directly to the shell with no encoding or sanitizing. The only issue is that the hostnames must match the following regular expression:
^([^\s]+)\s+
- So in real terms the only risk is commands without spaces:
-
-
- $(/tmp/exploit.sh) must run ping
+The following configuration file allows the specified command to be executed, as root, via the shell:
+ $(/home/steve/hg/custodian/exploit.sh) must ping otherwise "Owned".
- TODO: Fix this
+Given that anybody who can talk to the beanstalkd server can submit JSON-encoded-jobs we have no solution here which involves sanity-checking the parsed-hostnames. Instead we much either restrict submissions to signed ones, or we must remove the following from hostnames:
+ $( ... ) - Expansion.
+ ` .. ` - Backticks.
+ ; .. - Sub-commands.
General