Bug 15271
| Summary: | Netbooting can lead to arbitrary commands execution | ||
|---|---|---|---|
| Product: | Other | Reporter: | Andrea Canciani (ranma42) |
| Component: | klibc/kinit | Assignee: | other_klibc-kinit |
| Status: | CLOSED CODE_FIX | ||
| Severity: | normal | CC: | adobriyan, alan, max, warthog9 |
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | Subsystem: | ||
| Regression: | No | Bisected commit-id: | |
| Attachments: |
Patch to add string escaping
Patch to do correct string escaping Patch to do correct string escaping (2) Patch to do correct string escaping (3) |
||
nothing to do with kernel (In reply to comment #1) > nothing to do with kernel I posted the report here since klibc development tree (http://git.kernel.org/?p=libs/klibc/klibc.git) is managed by kernel.org Is there a more appropriate bug tracker to use for klibc? Created attachment 25028 [details] Patch to do correct string escaping Escaping in the previous patch was incorrect. Escaping rewritten following the specification http://www.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html Created attachment 25029 [details]
Patch to do correct string escaping (2)
Oops! The previous patch contained a typo.
Created attachment 25030 [details]
Patch to do correct string escaping (3)
The previous patch compiles, but contains a thinko (it outputs "'" both escaped and unescaped). Sorry.
I hope this one is fine.
|
Created attachment 24990 [details] Patch to add string escaping At boot, init typically configures networking by running ipconfig and sourcing /tmp/net-*.conf right after it. An (intentionally) misconfigured DHCP server can send arbitrary commands to be executed in the sourcing (tested on Ubuntu Karmic Koala kernel 2.6.31-14) because no escaping is applied to the strings. For example, a DHCP server passing a filename of "test$(cat /init)" makes the boot sequence display the content of the init file.