On 20-11-2014 Mitre wrote:
> > There is a command injection flaw in lsyncd, a file change monitoring
> > and synchronization daemon:
> >
> > https://github.com/axkibe/lsyncd/issues/220
> >
> > https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52
> >
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227
>
> Use CVE-2014-8990. The scope of this CVE ID includes both:
>
> 1. code execution with ` characters or other characters that are
> special to a shell
> 2. denial of service scenarios in which a user with write access
> to a local directory uses special characters to make
> synchronization fail (might have security relevance in some
> scenarios)
>
> The MITRE CVE team does not have a Lua expert. The code change adds:
>
> local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub
> ('%$','\\%$')
> local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub
> ('%$','\\%$')
>
> This does not seem to be the typical fix approach for unsafe input to
> a shell. Has anyone concluded that this is an incomplete fix that ought
> to be modified before the 2.1.6 release?
It is indeed an incomplete fix:
* The gsub ('%$','\\%$') works in lua5.1, but under lua5.2 the second %
character makes lsyncd fail with the error "stdin:1: invalid use of '%'
in replacement string". Thus allowing a complete denial of service
* Not all metacharacters are filtered, so command execution is still
present. In particular, the escaped characters can be prefixed with a
backslash to bypass the filter.
The attached patch should hopefully solve these issues.
From cb2cdea8ceff561dc10f41c17df00f74a8a9419e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=81ngel=20Gonz=C3=A1lez?= <an...@16bits.net>
Date: Tue, 25 Nov 2014 23:49:25 +0100
Subject: [PATCH] Properly sanitize mv parameters (CVE-2014-8990)
When using -rsyncssh option, some filenames
could -in addition of not syncing correctly-
crash the service and execute arbitrary commands
under the credentials of the remote user.
These issues have been assigned CVE-2014-8990
This commit fixes the incomplete and lua5.2-incompatible
sanitization performed by 18f02ad0
---
default-rsyncssh.lua | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/default-rsyncssh.lua b/default-rsyncssh.lua
index 589837d..3f3261d 100644
--- a/default-rsyncssh.lua
+++ b/default-rsyncssh.lua
@@ -77,8 +77,10 @@ rsyncssh.action = function( inlet )
-- makes move local on target host
-- if the move fails, it deletes the source
if event.etype == 'Move' then
- local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
- local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$')
+ local path1 = config.targetdir .. event.path
+ local path2 = config.targetdir .. event2.path
+ path1 = "'" .. path1:gsub ('\'', '\'"\'"\'') .. "'"
+ path2 = "'" .. path2:gsub ('\'', '\'"\'"\'') .. "'"
log(
'Normal',
@@ -94,10 +96,10 @@ rsyncssh.action = function( inlet )
config.ssh._computed,
config.host,
'mv',
- '\"' .. config.targetdir .. path1 .. '\"',
- '\"' .. config.targetdir .. path2 .. '\"',
+ path1,
+ path2,
'||', 'rm', '-rf',
- '\"' .. config.targetdir .. path1 .. '\"'
+ path1
)
return
--
2.1.3
