Command injection through URL in Pidgin

Tomasz Wasilczyk tomkiewi at gmail.com
Sun Jun 9 12:49:46 EDT 2013


2013/6/9 Ethan Blanton <elb at pidgin.im>:
> John Houwer spake unto us the following wisdom:
>> http://example.org/$(xterm)
>> opens a xterm (linux)
>>
>> http://example.org/$(touch<tab>/tmp/ownage)
>> Creates the File /tmp/ownage! If you use a <space> the URL will stop. If
>> you use a <tab> you can inject what you want to.
>>
>> In preferences the browser is set to "desktop default".
>>
>> I think this is a major concern. The user needs to click on the link, but
>> you know how it is nowadays. ;)
>
> This is a major concern.  We should be inoculated from this, but there
> may be a bug.  It is also possible that there's a bug in the desktop
> handler, or in the program/script handling the ultimate URL.  What
> desktop environment are you using?  On gnome we use gnome-open, and on
> KDE we use kfmclient; in both cases, the URL is escaped with
> g_shell_quote.  Can you get a strace of this process, with arguments,
> and find the exec we're actually invoking?
>
> In general, though, I don't like this code.  We should ultimately be
> reducing to execv, not exec.  It looks like we're using
> g_spawn_command_line_sync, and we should be using g_spawn_sync.
> Regardless of where the bug lies in this (in our code or in the
> desktop), this should be changed.

What do you think, if I would rewrite that code to use execv (of
course, hidden behind glib)?

Tomek

> Ethan
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQEVAwUBUbSiCf8fixZ3H8crAQi58ggAsATOsqlecIVO437QRcdy4so29yWi/gQ3
> nfs/UyIEktRAd6sXrcNee8nMTmg40ATXJMe5wCzZmfYs1ItZTA0J0qhOeUhlUmYE
> sxujMYuBuSDBxbubRZONNVOLqBu6wJns+OLtrAvrM7Zd0S7SXtQmp/eoqnkq+ky5
> uIgL8XDifzj4iBcyqplvoUJ0YGJoGXotFENbAL7tF8sX9X3Kn9uHTFpfdBqFWplK
> vX/iMOPDooWkHr4grhSKNeXOF394vfMI7LFyfS3iuz1fWnbRuWIALJ9l98vNtqfU
> Q0fHFPkvH1IZU5pyXu5L0fxxXRSm9ol1Sm7rCduuwoekNBch3SUIQQ==
> =9n9p
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> security mailing list
> security at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/security


More information about the security mailing list