Hi,
I am currently auditing many open-source reddit clients and have
found an important vulnerability in rtv involving massive remote code
execution.
The problem
In rtv/terminal.py:471 (rev. 20b59d5), in open_browser(...) the
command variable is built unsafely. An url such as:
http://test.com/?q=');print('hacked');print('
would allow python code injection which would lately be happily
executed by python through the Popen call.
Attack scenario
An attacker could craft a malicious url executing code (most likely
downloading a trojan) and post it under an attractive reddit title.
Anyone trying to open it in the webbrowser through rtv would get
hacked.
Also note that in my example a tab is still opened to the url
so one could very well provide a real url in order to mask his
attack for those that do not use rtv.
The impact
The impact is critical: hundreds of computers can be impacted at
once. While it needs user interaction it is very easy to hide the
attack from one.
Recommended fix
The best would be not to evaluate python code at all. Every code
injection problem comes from bugs at the interface between two
languages or layers.
The quickest solution though would be to escape quotes and
backslashes within the url. Escaping each and every character would
break lots of urls but at the very least quotes and backslashes
shouldn't be part of it.
I don't recommend the quick solution though: executing external code
through proper means is better.
Course of action
In my humble opinion your best course of action is to patch it as
soon as possible then issue a clear warning to already existing
users, maybe by getting a CVE number (Common Vulnerability and
Exposures, a global reference for all security vulnerabilities in
software of some importance).
I hope this finds you well,
Sincerely,
Cédric Picard
Hi,
I am currently auditing many open-source reddit clients and have
found an important vulnerability in rtv involving massive remote code
execution.
The problem
In rtv/terminal.py:471 (rev. 20b59d5), in open_browser(...) the
command variable is built unsafely. An url such as:
would allow python code injection which would lately be happily
executed by python through the Popen call.
Attack scenario
An attacker could craft a malicious url executing code (most likely
downloading a trojan) and post it under an attractive reddit title.
Anyone trying to open it in the webbrowser through rtv would get
hacked.
Also note that in my example a tab is still opened to the url
so one could very well provide a real url in order to mask his
attack for those that do not use rtv.
The impact
The impact is critical: hundreds of computers can be impacted at
once. While it needs user interaction it is very easy to hide the
attack from one.
Recommended fix
The best would be not to evaluate python code at all. Every code
injection problem comes from bugs at the interface between two
languages or layers.
The quickest solution though would be to escape quotes and
backslashes within the url. Escaping each and every character would
break lots of urls but at the very least quotes and backslashes
shouldn't be part of it.
I don't recommend the quick solution though: executing external code
through proper means is better.
Course of action
In my humble opinion your best course of action is to patch it as
soon as possible then issue a clear warning to already existing
users, maybe by getting a CVE number (Common Vulnerability and
Exposures, a global reference for all security vulnerabilities in
software of some importance).
I hope this finds you well,
Sincerely,
Cédric Picard