security hole in swais, FYI
jonathan at Think.COM
Tue Sep 1 17:02:05 UTC 1992
From: Marten Terpstra <Marten.Terpstra at ripe.net>
Date: Tue, 01 Sep 92 15:46:22 +0200
Mark Kosters from GSI notified us of the problem. Using swais you can pipe
the output of a search into any command. You can do this by typing 'c' or '|'
on the output of a search.
We've known about this. The solution is to run swais under a chroot, with a
very limited bin directory. This is how swais is run on Quake, and we've
had no evidence of any tampering.
Since we are running swais as a public service for people without their own
wais client this can be quite harmful. Mark demonstrated that he could start
a shell, list /etc/passwd and so on.
We are running swais under userID nobody, so too much harm cannot be done,
but still, we decided to disable the 'c' and '|' keys as commands.
We are running the thing without a chroot though.
The offending parts can be found in screen_ui.c. This is however with
wais-8-b4, don't know about b5.
case '|' : ;
case 'c' : pipe_command(question);
in screen_ui.c does the trick, as far as we can see.
It would be nice if there was a compile time option to switch to swais in
"safe" mode, like some pagers have.
I believe Jim Fulton's version allows this, but I'll check to make sure.
Also if you are offering this as a public service, make sure that the pipe
commands and shell escapes in the pager swais uses are disabled ...
I've done this by using a special .cshrc, but I just thought of a way that
could be defeated. Hmmm, I want users to be able to use a limited set of
commands. Perhaps swais needs a "secure" command list.
- Jonny G
More information about the NANOG