View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005437 | GNUnet | GNS | public | 2018-09-23 17:42 | 2019-02-28 11:17 |
| Reporter | bennofs | Assigned To | Christian Grothoff | ||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | Git master | ||||
| Target Version | 0.11.0 | Fixed in Version | 0.11.0 | ||
| Summary | 0005437: Shell special characters are interpreted in gns lookup in NSS module | ||||
| Description | The NSS module for GNS resolves names by executing the shell command: gnunet-gns -r -u $DOMAIN This means that it interprets shell special characters: $ getent ahosts ';' gnunet-gns: option requires an argument -- u Use --help to get a list of options. gnunet-gns: option requires an argument -- u Use --help to get a list of options. Not sure if this can be used for privilege escalation (if you can trick another user into resolving a DNS name you control, it would be possible) | ||||
| Steps To Reproduce | 1. enable gns NSS module via a line in /etc/nsswitch.conf: gns [NOTFOUND=return] 2. resolve any DNS name with shell special characters | ||||
| Tags | No tags attached. | ||||
|
|
Privilege escalation is definitively not possible, as the libc code runs as the same user that triggered the name resolution. But I guess theoretically one might trick a user into executing a command when they think of resolving a hostname (assuming the application that originally got the hostname doesn't validate that the hostname is well-formed to begin with). Anyway, we should indeed fix this. |
|
|
Fixed in 8a039e9e8..a9c5183b1 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2018-09-23 17:42 | bennofs | New Issue | |
| 2018-11-21 00:01 | Christian Grothoff | Note Added: 0013351 | |
| 2018-11-21 00:02 | Christian Grothoff | Assigned To | => Christian Grothoff |
| 2018-11-21 00:02 | Christian Grothoff | Status | new => assigned |
| 2018-11-22 10:31 | Christian Grothoff | Status | assigned => resolved |
| 2018-11-22 10:31 | Christian Grothoff | Resolution | open => fixed |
| 2018-11-22 10:31 | Christian Grothoff | Fixed in Version | => 0.11.0 |
| 2018-11-22 10:31 | Christian Grothoff | Note Added: 0013359 | |
| 2018-11-22 10:31 | Christian Grothoff | Target Version | => 0.11.0 |
| 2019-02-28 11:17 | Christian Grothoff | Status | resolved => closed |
