search

ravthan / all-eyes

Automatically exported from code.google.com/p/all-eyes
0 stars 0 forks source link

create_checksum_filemon may have command injection in call to sha256sum #120

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
If the variable file_name contains a ";" in the string then you could trigger 
commands to be run as the user doing the calculation. 

IE file_name="test; /bin/rm -rf /" could have disastrous consequences.

Scott

Original issue reported on code.google.com by sck.no...@gmail.com on 26 Nov 2012 at 10:17

GoogleCodeExporter commented 8 years ago 
[deleted comment]
GoogleCodeExporter commented 8 years ago 
The function create_checksum_filemon() is in file filemonConfig.c. This 
function is called only after opening a specific data file defined by symbolic 
name CONFIGFILE from a specific location. The data file defined by CONFGFILE 
has the owner/group of root/root and has the permission 0644 (only root can 
write to this file) after installation in production environment. There is no 
user input or user manipulable part other than the root user. Therefor, the 
command injection isn't exploitable. However, for safe coding, there should be 
checks built-in to prevent such problems.

Original comment by toddd...@gmail.com on 27 Nov 2012 at 4:04

GoogleCodeExporter commented 8 years ago 
This issue was closed by revision r987.

Original comment by heyyoul...@gmail.com on 28 Nov 2012 at 10:01

GoogleCodeExporter commented 8 years ago 
Added check for 0-9, please test with build 990+

thanks,

Original comment by heyyoul...@gmail.com on 29 Nov 2012 at 3:57

GoogleCodeExporter commented 8 years ago 
Verified with unit testing

Original comment by tbrt....@gmail.com on 9 Dec 2012 at 9:24