ESB-2018.0033 - [NetBSD] virecover: Delete arbitrary files - Existing account 2018-01-03

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0033
                          Local DoS in virecover
                              3 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           virecover
Publisher:         NetBSD
Operating System:  NetBSD
Impact/Access:     Delete Arbitrary Files -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2018-002.txt.asc

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		 NetBSD Security Advisory 2018-002
		 =================================

Topic:		Local DoS in virecover

Version:	NetBSD-current:		source prior to Sat, November 4th 2017
		NetBSD 7.0 - 7.02:	affected
		NetBSD 6.1 - 6.1.5:	affected
		NetBSD 6.0 - 6.0.6:	affected

Severity:	Local Denial of Service

Fixed:		NetBSD-current:		Sat, November 4th 2017
		NetBSD-6-0 branch:	Sun, November 5th 2017
		NetBSD-6-1 branch:	Sun, November 5th 2017
		NetBSD-6 branch:	Sun, November 5th 2017
		NetBSD-7-0 branch:	Sun, November 5th 2017
		NetBSD-7 branch:	Sun, November 5th 2017
		NetBSD-8 branch:	Sun, November 5th 2017

Please note that NetBSD releases prior to 6.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

An error in the virecover script allows an unprivileged user to delete
any files in the root / directory.

Technical Details
=================

The virecover shell script used file globbing without arranging for
whitespace within filenames to be preserved.

Instead of treating a filename containing a space as is, it will treat
the file as two files.

For example, by placing "/var/tmp/virecover/vi. netbsd", virecover will
treat it as two files: /var/tmp/virecover/vi. and netbsd.

As virecover attempts to delete the recovered files, it will delete files
in its current working directory (the root directory).

This allows an unprivileged user to delete any file within the root
directory.

Solutions and Workarounds
=========================

Disabling virecover:
# echo "virecover=NO" >> /etc/rc.conf

Updating nvi:

FILE  HEAD  netbsd-8  netbsd-7  netbsd-7-1  netbsd-7-0

external/bsd/nvi/dist/common/recover.c
      1.9   1.5.22.1  1.5.6.1   1.5.18.1    1.5.10.1

external/bsd/nvi/usr.bin/recover/virecover
      1.3   1.1.22.1  1.1.6.1   1.1.18.1    1.1.10.1

FILE  netbsd-6   netbsd-6-1   netbsd-6-0
dist/nvi/common/recover.c
      1.3.10.1   1.3.24.1     1.3.16.1

usr.bin/nvi/recover/virecover
      1.1.22.1   1.1.36.1     1.1.28.1

for netbsd-7, -7-0, -7-1, netbsd-8, HEAD:

$ cd src
$ cvs update -d -P -r VERSION external/bsd/nvi/dist/common/recover.c
$ cvs update -d -P -r VERSION external/bsd/nvi/usr.bin/recover/virecover
$ cd external/bsd/nvi
$ make USETOOLS=no
# make install USETOOLS=no


for netbsd-6, -6-0, -6-1:
$ cd src
$ cvs update -d -P -r VERSION dist/nvi/common/recover.c
$ cvs update -d -P -r VERSION usr.bin/nvi/recover/virecover
$ cd usr.bin/nvi
$ make USETOOLS=no
# make install USETOOLS=no

Thanks To
================

Maya Rashish for noticing the issue, Christos Zoulas and Robert Elz for
deploying the fix.

Revision History
================

	2018-01-02	Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-002.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2018, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.
- -----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJaS7+UAAoJEAZJc6xMSnBuqhgQAJHCyUMeylnsOUGi0SzsZ/G9
kzQVGSir6+U+yKGaEFM5xkuRUoQFOVxCcHo9GXxY5EvxfF3rsYoW6MORzkn5DXAs
Yup1HMb5impVdGruED7ubFI155EjLtlI03S3fqgOChH0g1aWwtfP0PlqC1iMl7mp
Ygyo7UZEJNOsrAM28WqW5LHQPNVG2q92yl16UwP6UWH8MoydnjCj4WuQ4/D161bQ
xFDNgxruxt3R3RqwBnVIPYBRTlxM9xPGpW/dNngc+rVoiyRD3+XzcEvhemY2Eccx
Gqp2ohQl+q8rDzKnS2pv+wNdQlgXZVkg5XrfWkP52JBTdAojAfeNP9cWlOoV9ggZ
nFzjHnURkodRwosE8AWuJ+aquokqUMtec48NNKVIaRK/LPuJQLz/CWdiM5V0xwqY
0WSK5Yvgl3aM5FwFpWFo78RE3Pl18FaJuqMN3XYWhDuBXLZW7raQK0KXQuWC+E72
PgRqqDU2YswGV3Gt2xbBh74SBnedjwppffNCenSdxjZHjfpFLGr1sS/JGBj/UG1m
RfxAA7mbogE/yEjWXLyt8H+y78Id6Ck9rWiKTFUKBXJw7qw05opdewJDsZrOsw6T
40iydSOLl1ahr/Ke2Mu8/B09MUyt8MMrrmthnhoXQr9a2R9iR1fDFxfboocOVCfn
BHDNhoPO+m+GSApcBd7p
=MHk1
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWkwRfYx+lLeg9Ub1AQgtCg//en6BoFAW/tmxae3CiZ72L9pe0DZ0J1WP
Kq10AKItVzVd2DPnlDVmXifDxCrO11X7zUR551MNwEGjRuEex42HUhxmdlXomBsF
PIW9JiugKMuFYZIpsDnnt/79RlCRmjrHodvPYlu/NbVBr5MAR8v5lRsNeI4iDaiD
KO9/iM9xIdAN/yGoDqbMoW85Jm67/3crOPjeq7k69jXZ9sRUfy4DnZVBa0QSWHXn
Pl2zOrUUCKDjt7gheTfsD2kOdk2rgFy27bsBQzoFTVSnDmB77cdwkhOjVZ0Zk1F9
aiNG/eLQOhBMYm7jsEIT4NN12Qybht7uCtrb7gQbMsgTeLEihNx4sD0BrDZ8J+3S
rLXaqQ4erj48GEl1L9GodGkfr6+cG1YMFUUCb4yQq3/XnzORhpKFjr/Nnh5QWRdP
gXSuznulZiLokk0dOU8orgzrogJ7zl7u4SlOI6AH+gFmi6zpC1cb7u//T+VSjCvo
zfDV7ALtMr3QQer4FMYelWBl7oaoOJyremAoaJ3MlVT9eJ9l8N0D44+43OLlaFD+
9MnE1bxPw5LfzMOS3wam2jgJ89zr6kKlPvNRC8oqkTSYHur6UQZzU4Gj7pYkBgtm
827nYz+NAnpsOYWteiK8lvdhzn9R7TFcpVyslB6aWA7CNk0YxGBwrSaWq9HsXJb0
lwD0hR68SVo=
=O3bS
-----END PGP SIGNATURE-----

« Back to bulletins