[libvirt] [PATCH] rpc: fix escaping of shell path for netcat binary

Eric Blake eblake at redhat.com
Mon Sep 30 19:09:08 UTC 2019


On 9/30/19 7:34 AM, Daniel P. Berrangé wrote:
> Consider having a nc binary in the path with a space in its name,
> for example '/tmp/fo o/nc'
> 
> This results in libvirt running SSH with the following arg value
> 
>    "'if ''/tmp/fo o/nc'' -q 2>&1 | grep \"requires
>      an argument\" >/dev/null 2>&1; then ARG=-q0;
>      else ARG=;fi;''/tmp/fo o/nc'' $ARG -U
>      /var/run/libvirt/libvirt-sock'"
> 

> With the second level of escaping added we can now successfully use a nc
> binary with a space in the path.
> 
> The original test case added was misleading as it illustrated using a
> binary path of 'nc -4' which is not a path, it is a command with a
> separate argument, which is getting interpreted as a path.
> 
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> ---
>   src/rpc/virnetclient.c   | 8 ++++++++
>   src/rpc/virnetsocket.c   | 9 +++++++++
>   tests/virnetsockettest.c | 6 +++---
>   3 files changed, 20 insertions(+), 3 deletions(-)
> 

Reviewed-by: Eric Blake <eblake at redhat.com>

[We had an IRC chat about whether this was a possible CVE - the answer 
was no - although the bug can be exploited with "/path/to/';date" as a 
way to get the remote machine to execute date, it's not an elevation of 
privilege, because if you already have ssh access to the remote machine, 
you don't need libvirt misquoting the nc binary's name to make ssh do 
what you want.]

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org




More information about the libvir-list mailing list