‘a2ps Executing Shell Commands From File Name’

Summary

a2ps is ‘an Any to PostScript filter’. a2ps can be made to execute shell commands from a given filename allowing an attacker to execute arbitrary commands.’

Credit:

‘The information has been provided by Rudolf Polzer.’


Details

Vulnerable Systems:
 * a2ps version 4.13, possibly prior, on all platforms supported with Bash or C-shell used by System()

Immune Systems:
 * a2ps latest from CVS, FreeBSD only

a2ps can execute shell commands from file names. Unless you use a2ps with wildcards from a world-writeable directory like /tmp, this issue doesn t pose a real impact on your system.

How to reproduce:
$ touch ‘x`echo >&2 42`.c’
$ a2ps -o /dev/null *.c
42
[x`echo >&2 42`.c (C): 0 pages on 0 sheets]
[Total: 0 pages on 0 sheets] saved into the file `/dev/null’
$ a2ps -V
GNU a2ps 4.13
Written by Akim Demaille, Miguel Santana.

How it was found:
$ touch ‘LAN (div0)’
$ a2ps -o /dev/null LAN*
sh: -c: line 1: syntax error near unexpected token `(‘
sh: -c: line 1: `/usr/bin/file -L LAN (div0)’
[LAN (div0) (plain): 0 pages on 0 sheets]
[Total: 0 pages on 0 sheets] saved into the file `/dev/null’

Workaround
Do not use wildcards in a2ps command lines except if you do that in a directory only you can create files in and where you know the contents.

Patch Availability:
A patch was written by Rudolf and was sent to the FreeBSD developers, the Debian a2ps maintainer and to GNU itself. However, the patch was only admitted into the CVS tree for a2ps by the FreeBSD team, making the FreeBSD version the only one with a fix.

The patch can be found at http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain.

The patch itself might not work on Windows even though the problem exists if command.com is used a shell interpreter. The filename might be different though.

For convenience, it is also copied here:
— src/select.c.orig Thu Dec 16 02:04:56 1999
+++ src/select.c Sat Aug 21 12:05:31 2004
@@ -131,6 +131,36 @@
   return 1;
 }
 
+/* escapes the name of a file so that the shell groks it in ‘single’ q.marks.
+ The resulting pointer has to be free()ed when not longer used. */
+char *
+shell_escape(const char *fn)
+{
+ size_t len = 0;
+ const char *inp;
+ char *retval, *outp;
+
+ for(inp = fn; *inp; ++inp)
+ switch(*inp)
+ {
+ case ‘\”: len += 4; break;
+ default: len += 1; break;
+ }
+
+ outp = retval = malloc(len + 1);
+ if(!outp)
+ return NULL; /* perhaps one should do better error handling here */
+ for(inp = fn; *inp; ++inp)
+ switch(*inp)
+ {
+ case ‘\”: *outp++ = ‘\”; *outp++ = ‘\’; *outp++ = ‘\”, *outp++ = ‘\”; break;
+ default: *outp++ = *inp; break;
+ }
+ *outp = 0;
+
+ return retval;
+}
+
 /* What says file about the type of a file (result is malloc’d). NULL
   if could not be run. */
 
@@ -144,11 +174,15 @@
   if (IS_EMPTY (job->file_command))
     return NULL;
 
+ filename = shell_escape(filename);
+ if(filename == NULL)
+ return NULL;
   /* Call file(1) with the correct option */
– command = ALLOCA (char, (2
+ command = ALLOCA (char, (4
       + strlen (job->file_command)
       + ustrlen (filename)));
– sprintf (command, ‘%s %s’, job->file_command, (const char *) filename);
+ sprintf (command, ‘%s ‘%s”, job->file_command, (const char *) filename);
+ free(filename);
   message (msg_tool, (stderr, ‘Reading pipe: `%s’n’, command));
   file_out = popen (command, ‘r’);

Categories: UNIX