View Issue Details

IDProjectCategoryView StatusLast Update
0005437GNUnetGNSpublic2019-02-28 11:17
ReporterbennofsAssigned ToChristian Grothoff 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product VersionSVN HEAD 
Target Version0.11.0Fixed in Version0.11.0 
Summary0005437: Shell special characters are interpreted in gns lookup in NSS module
DescriptionThe NSS module for GNS resolves names by executing the shell command:

gnunet-gns -r -u $DOMAIN

This means that it interprets shell special characters:

$ getent ahosts ';'
gnunet-gns: option requires an argument -- u
Use --help to get a list of options.
gnunet-gns: option requires an argument -- u
Use --help to get a list of options.

Not sure if this can be used for privilege escalation (if you can trick another user into resolving a DNS name you control, it would be possible)
Steps To Reproduce1. enable gns NSS module via a line in /etc/nsswitch.conf: gns [NOTFOUND=return]
2. resolve any DNS name with shell special characters

TagsNo tags attached.

Activities

Christian Grothoff

2018-11-21 00:01

manager   ~0013351

Privilege escalation is definitively not possible, as the libc code runs as the same user that triggered the name resolution. But I guess theoretically one might trick a user into executing a command when they think of resolving a hostname (assuming the application that originally got the hostname doesn't validate that the hostname is well-formed to begin with).

Anyway, we should indeed fix this.

Christian Grothoff

2018-11-22 10:31

manager   ~0013359

Fixed in 8a039e9e8..a9c5183b1

Issue History

Date Modified Username Field Change
2018-09-23 17:42 bennofs New Issue
2018-11-21 00:01 Christian Grothoff Note Added: 0013351
2018-11-21 00:02 Christian Grothoff Assigned To => Christian Grothoff
2018-11-21 00:02 Christian Grothoff Status new => assigned
2018-11-22 10:31 Christian Grothoff Status assigned => resolved
2018-11-22 10:31 Christian Grothoff Resolution open => fixed
2018-11-22 10:31 Christian Grothoff Fixed in Version => 0.11.0
2018-11-22 10:31 Christian Grothoff Note Added: 0013359
2018-11-22 10:31 Christian Grothoff Target Version => 0.11.0
2019-02-28 11:17 Christian Grothoff Status resolved => closed