Quantcast
Channel: BOT24
Viewing all articles
Browse latest Browse all 8064

OS command injection vulnerability in Chicken Scheme

$
0
0

Hello Chicken users,

It was discovered that the "qs" procedure from the "utils" module
performs incomplete escaping. On Windows (mingw32), this procedure
quoted the string but did not escape embedded quote characters.
On Unix, this procedure did not escape the pipe character. On both
systems, the procedure simply copied NULL characters in the input string
to the output string. This last detail is less important, because all
procedures which pass the string to the shell contain a check for NUL
bytes.

Furthermore, this procedure relied on a blacklist of "special" shell
characters, which is considered bad practice as it is too easy to forget
a character and some shells have different rules as to which characters
are special.

What all this means in practice is that an attacker-supplied filename
or any other program argument can lead to arbitrary shell code execution
through OS command injection, which is exactly what qs intends to prevent.

This bug is present in all versions of CHICKEN prior to revision
58684f69572453acc6fed7326fa9df39be98760e, in which it was fixed by
switching to a whitelist approach on Unix and escaping quotes on Windows.
CHICKEN 4.9.0 will include this fix.

The best workaround for this problem for older Chicken versions is to
avoid calling out to the shell. Instead, you can rely on the
PROCESS-EXECUTE procedure from the posix module, or use the safe
multi-argument version of the PROCESS[*] procedures, also from the posix
module. If you require the shell's easy pipeline and redirection
capabilities, you can use the scsh-process egg which uses PROCESS-EXECUTE
under the hood.

You can also update to master 58684f69572453acc6fed7326fa9df39be98760e or
apply the patch at
http://lists.nongnu.org/archive/html/chicken-hackers/2013-04/msg00060.html

Many thanks to Florian Zumbiehl for pointing out the problem and
providing the initial patch.

Kind regards,
The CHICKEN Team

Source link: http://lists.nongnu.org/archive/html/chicken-announce/2013-04/msg00000.html




//The information contained within this publication is





//supplied "as-is"with no warranties or guarantees of fitness





//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts





//responsibility for any damage caused by the use or misuse of





//this information


Viewing all articles
Browse latest Browse all 8064

Trending Articles