This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: CVE-2009-4273 for stap 1.0?

From: Dave Brolley <brolley at redhat dot com>
To: Tony Jones <tonyj at suse dot de>
Cc: SystemTAP <systemtap at sources dot redhat dot com>
Date: Wed, 03 Feb 2010 15:23:03 -0500
Subject: Re: CVE-2009-4273 for stap 1.0?
References: <20100128051807.GA25969@suse.de> <4B61BFA7.5020809@redhat.com> <20100203194706.GA6741@suse.de>

Hi Tony,

Tony Jones wrote:

As part of verifying the backport I tried initially to reproduce the problem in the un-fixed code based on the "horror cases" mentioned at: http://sourceware.org/bugzilla/show_bug.cgi?id=11105#c1

I tried various forms based off of the "stap-client -D 'asdf ; ls /etc' ..." case but I guess I'm not understanding the side-effects. I assumed the above would result in some form of extraneous output at the client side?
I guess I'd welcome some concrete examples that demonstrate the exploit if
you have a spare couple of minutes. Either on or off-list is fine.

Here is an example which demonstrates the exploit. Running

stap-client -p1 -B\;ai2

will print an error about -B being an invalid option followed by the usage help followed by a message similar to

/usr/local/bin/stap-server: line 340: ai2: command not found

which indicates that server tried to run the 'ai2' command.

I hope this helps,
Dave

References:
- Re: CVE-2009-4273 for stap 1.0?
  - From: Dave Brolley
- Re: CVE-2009-4273 for stap 1.0?
  - From: Tony Jones

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]