security hole in swais, FYI

Jonny Goldman jonathan at Think.COM
Tue Sep 1 17:02:05 UTC 1992


   From: Marten Terpstra <Marten.Terpstra at ripe.net>
   Date: Tue, 01 Sep 92 15:46:22 +0200

   Mark Kosters from GSI notified us of the problem. Using swais you can pipe
   the output of a search into any command. You can do this by typing 'c' or '|'
   on the output of a search.

We've known about this.  The solution is to run swais under a chroot, with a
very limited bin directory.  This is how swais is run on Quake, and we've
had no evidence of any tampering.

   Since we are running swais as a public service for people without their own
   wais client this can be quite harmful. Mark demonstrated that he could start
   a shell, list /etc/passwd and so on.

   We are running swais under userID nobody, so too much harm cannot be done,
   but still, we decided to disable the 'c' and '|' keys as commands.
   We are running the thing without a chroot though.

   The offending parts can be found in screen_ui.c. This is however with
   wais-8-b4, don't know about b5.

   Commenting out:

	       case '|'  : ;
	       case 'c'  : pipe_command(question);
			 state=UNKNOWN;
			 return(SHOWRESULTS);

   in screen_ui.c does the trick, as far as we can see.
   It would be nice if there was a compile time option to switch to swais in
   "safe" mode, like some pagers have.

I believe Jim Fulton's version allows this, but I'll check to make sure.

   Also if you are offering this as a public service, make sure that the pipe
   commands and shell escapes in the pager swais uses are disabled ...

I've done this by using a special .cshrc, but I just thought of a way that
could be defeated.  Hmmm, I want users to be able to use a limited set of
commands.  Perhaps swais needs a "secure" command list.

- Jonny G





More information about the NANOG mailing list