ctags(1) command execution vulnerability

Michael Hamburg hamburg at fas.harvard.edu
Mon May 3 23:44:10 PDT 2004 

While I don't think that's much of a vulnerability (you can only really 
attack your own account), your patch doesn't fix it.  You can still 
executed code with:

ctags -u -f "'; echo hi '" *.c

To remove this "vulnerability," you'd have to either escape the string, 
then quote it, or even better, do the system call with a vector.  It 
probably isn't worth the bother, but if you want to patch it, patch it 
right...

Mike Hamburg

On May 4, 2004, at 1:49 AM, Roman Bogorodskiy wrote:

> Hello,
>
> 	ctags(1) uses external application sort(1) for sorting the tags file.
> It calls it via system(3) function.
>
> Look at the /usr/src/usr.bin/ctags/ctags.c file, there are such lines
> here:
>
> if (uflag) {
> 	(void)asprintf(&cmd, "sort -o %s %s",
> 	    outfile, outfile);
> 	if (cmd == NULL)
> 		err(1, "out of space");
> 	system(cmd);
> 	free(cmd);
> 	cmd = NULL;
> }
>
> This code will be executed when "-u" arg was given. So, if we'll 
> execute
> ctags in a such way:
>
> ctags -u -f ';echo hi' *.c
>
> we get the following:
>
> Syntax error: ";" unexpected
> sort: option requires an argument -- o
> Try `sort --help' for more information.
> hi
> hi
>
> We can put any command instead of 'echo hi' and it would be executed
> (for two times).
>
> I understand that ctags(1) is not a suid application and this
> vulnerability probably could not be exploited. Never the less, this is 
> a
> bad behavior for any kind of program.
>
> Solution:
>
> --- usr.bin/ctags/ctags.c.orig	Tue May  4 09:23:30 2004
> +++ usr.bin/ctags/ctags.c	Tue May  4 09:25:48 2004
> @@ -166,7 +166,7 @@
>  			if (uflag) {
>  				for (step = 0; step < argc; step++) {
>  					(void)asprintf(&cmd,
> -					    "mv %s OTAGS; fgrep -v '\t%s\t' OTAGS >%s; rm OTAGS",
> +					    "mv '%s' OTAGS; fgrep -v '\t%s\t' OTAGS >'%s'; rm OTAGS",
>  					    outfile, argv[step], outfile);
>  					if (cmd == NULL)
>  						err(1, "out of space");
> @@ -181,7 +181,7 @@
>  			put_entries(head);
>  			(void)fclose(outf);
>  			if (uflag) {
> -				(void)asprintf(&cmd, "sort -o %s %s",
> +				(void)asprintf(&cmd, "sort -o '%s' '%s'",
>  				    outfile, outfile);
>  				if (cmd == NULL)
>  					err(1, "out of space");
>
>
> -Roman Bogorodskiy
>

More information about the freebsd-security mailing list