Hi Tomas,

Thanks for the feedback.

On Mon, Dec 24, 2018 at 08:47:55PM +0000, Tomas Bortoli wrote:
>    Hi Robert,
>    Your patch seems not to be definitive against CVE-2018-19518.
>    This because checking for spaces won't be enough if an attacker uses some
>    "bash trick" to get a space...
>    In fact you can get a space by not typing it, with something like this:
>      a=`date`;echo${a:3:1}asd
>    Will print "asd".. it gets the space from a substring of "a".

I tried numerous different such tricks and every one that I tried
between 'x' and '-o' in the host specification resulted in the
vulnerability not manifesting itself.

That said, I did not try this specific trick and I will investigte to
determine if it results in the vulnerability manifesting itself.

>    Regarding the code, there is a bit of redundancy as the "for" in the
>    if-else is repeated in both branches, it could be therefore placed after
>    the if-else and achieve the same semantic result without redundancy.

There are two command templates involved in this section of code:
rshcommand and sshcommand.  The two for loops each operate on a
different command template.

>    About the bug, as far as I understand the injection is, eventually,
>    possible in the server name...shouldn't that be the "host" variable in the
>    patch? [1]
>    I am not sure...CVE description is quite smallish..
Yes, the description could certainly use more detail.  That said, I did
include this in my original post:

    I also wondered whether it was possible to cause the vulnerability
    without a space in the hostname (somewhat related to the first
    question).  In any event, I concluded that the question of whether
    something is a valid hostname might be a bit complex to tackle and
    despite numerous attempts I was not able to exploit the
    vulnerability without the space between the host name and the
    command switch '-'.

I suppose it would be possible to apply the approach of counting tokens
to the host variable to ensure that it only contains a single token.
However, I do not think that is any better or worse than the approach I
came up with.



Roberto C. Sánchez

Reply via email to