On 9/30/19 7:34 AM, Daniel P. Berrangé wrote:
Consider having a nc binary in the path with a space in its name,
for example '/tmp/fo o/nc'
This results in libvirt running SSH with the following arg value
"'if ''/tmp/fo o/nc'' -q 2>&1 | grep \"requires
an argument\" >/dev/null 2>&1; then ARG=-q0;
else ARG=;fi;''/tmp/fo o/nc'' $ARG -U
/var/run/libvirt/libvirt-sock'"
With the second level of escaping added we can now successfully use a
nc
binary with a space in the path.
The original test case added was misleading as it illustrated using a
binary path of 'nc -4' which is not a path, it is a command with a
separate argument, which is getting interpreted as a path.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/rpc/virnetclient.c | 8 ++++++++
src/rpc/virnetsocket.c | 9 +++++++++
tests/virnetsockettest.c | 6 +++---
3 files changed, 20 insertions(+), 3 deletions(-)
Reviewed-by: Eric Blake <eblake(a)redhat.com>
[We had an IRC chat about whether this was a possible CVE - the answer
was no - although the bug can be exploited with "/path/to/';date" as a
way to get the remote machine to execute date, it's not an elevation of
privilege, because if you already have ssh access to the remote machine,
you don't need libvirt misquoting the nc binary's name to make ssh do
what you want.]
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization:
qemu.org |
libvirt.org