[libvirt] [PATCH] rpc: fix escaping of shell path for netcat binary
Eric Blake
eblake at redhat.com
Mon Sep 30 19:09:08 UTC 2019
On 9/30/19 7:34 AM, Daniel P. Berrangé wrote:
> Consider having a nc binary in the path with a space in its name,
> for example '/tmp/fo o/nc'
>
> This results in libvirt running SSH with the following arg value
>
> "'if ''/tmp/fo o/nc'' -q 2>&1 | grep \"requires
> an argument\" >/dev/null 2>&1; then ARG=-q0;
> else ARG=;fi;''/tmp/fo o/nc'' $ARG -U
> /var/run/libvirt/libvirt-sock'"
>
> With the second level of escaping added we can now successfully use a nc
> binary with a space in the path.
>
> The original test case added was misleading as it illustrated using a
> binary path of 'nc -4' which is not a path, it is a command with a
> separate argument, which is getting interpreted as a path.
>
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> ---
> src/rpc/virnetclient.c | 8 ++++++++
> src/rpc/virnetsocket.c | 9 +++++++++
> tests/virnetsockettest.c | 6 +++---
> 3 files changed, 20 insertions(+), 3 deletions(-)
>
Reviewed-by: Eric Blake <eblake at redhat.com>
[We had an IRC chat about whether this was a possible CVE - the answer
was no - although the bug can be exploited with "/path/to/';date" as a
way to get the remote machine to execute date, it's not an elevation of
privilege, because if you already have ssh access to the remote machine,
you don't need libvirt misquoting the nc binary's name to make ssh do
what you want.]
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
More information about the libvir-list
mailing list