From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] misc-progs: getipstat: Extend functionality Date: Mon, 26 Apr 2021 11:40:01 +0100 Message-ID: In-Reply-To: <20210423162249.18323-1-robin.roevens@disroot.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4132422196150288959==" List-Id: --===============4132422196150288959== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Robin, > On 23 Apr 2021, at 17:22, Robin Roevens wrote: >=20 > * bugfix: Make sure outputfiles are removed beforehand > to prevent permission errors writing to them. > * Add optional parameter "-x" to have iptables report exact numbers > * Add optional parameter "-f " to save iptables > filters table output to an alternate filename > * Add optional parameter "-n " to save iptables > nat table output to an alternate filename > * Add optional parameter "-m " to save iptables > mangle table output to an alternate filename >=20 > Signed-off-by: Robin Roevens > --- > src/misc-progs/getipstat.c | 74 +++++++++++++++++++++++++++++++++++--- > 1 file changed, 69 insertions(+), 5 deletions(-) >=20 > diff --git a/src/misc-progs/getipstat.c b/src/misc-progs/getipstat.c > index c806d54a9..57ad81d46 100644 > --- a/src/misc-progs/getipstat.c > +++ b/src/misc-progs/getipstat.c > @@ -2,6 +2,15 @@ > * > * Get the list from IPTABLES -L > *=20 > + * Optional commandline parameters: > + * -x=20 > + * instruct iptables to expand numbers I would say that we should always call iptables with =E2=80=9C-x=E2=80=9D (I = have no idea why this isn=E2=80=99t the default). There is no point to have t= his configurable because this command is not being called by a user and so we= should make a decision either way. > + * -f > + * output filter table to alternative filename in /var/tmp/ This is adding a shell command line injection vulnerability into the code whi= ch allows an unprivileged user to execute commands as root. More below. > + * -n > + * output nat table to alternative filename in /var/tmp/ > + * -m > + * output mangle table to alternative filename in /var/tmp/ > */ >=20 > #include > @@ -12,16 +21,71 @@ > #include > #include "setuid.h" >=20 > +int cmdOutputToFile(char *cmd, char *filename) { > + FILE *file; > + char command[STRING_SIZE]; >=20 > -int main(void) > + // remove file if it already exist to prevent permission denied errors > + // if we have no explicit write permission on it. > + if ((file =3D fopen(filename, "r"))) { > + fclose(file); > + if (remove(filename) !=3D 0) { > + fprintf(stderr, "\n%s could not be overwritten.\n", filename); > + return 1; > + } > + } You can simply use access() to check if a file already exists. That avoids ac= tually allocating a whole file descriptor. > + // Execute command and redirect output to file > + snprintf(command, STRING_SIZE - 1, "%s > %s", cmd, filename); > + return safe_system(command); Here is the bit that introduces the vulnerability by passing through =E2=80= =9Cfilename=E2=80=9D without any sanitisation. Since safe_system() is calling a shell, a filename like =E2=80=9C/dev/null; r= eboot=E2=80=9D would reboot the system. Trying to open the file before will w= ork fine, because almost anything is a legal filename. So this solution is not acceptable as it pretty much allows anyone to run any= thing. > +} > + > +int main(int argc, char** argv) > { > + // Set defaults > + char params[STRING_SIZE] =3D "-L -v -n"; > + char out_file_filter[STRING_SIZE] =3D "/var/tmp/iptables.txt"; > + char out_file_nat[STRING_SIZE] =3D "/var/tmp/iptablesnat.txt"; > + char out_file_mangle[STRING_SIZE] =3D "/var/tmp/iptablesmangle.txt"; > + > + int opt; > + char command[STRING_SIZE]; > +=09 > if (!(initsetuid())) > exit(1); >=20 > - safe_system("/sbin/iptables -L -v -n > /var/tmp/iptables.txt"); > - safe_system("/sbin/iptables -L -v -n -t nat > /var/tmp/iptablesnat.txt"); > - safe_system("/sbin/iptables -t mangle -L -v -n > /var/tmp/iptablesmangle.= txt"); > - safe_system("chown nobody.nobody /var/tmp/iptables.txt /var/tmp/iptablesn= at.txt /var/tmp/iptablesmangle.txt"); > + // Parse command line params > + if (argc > 1) { > + while ((opt =3D getopt(argc, argv, "xf:n:m:")) !=3D -1) { > + switch(opt) { > + case 'x': > + strcat(params, " -x"); > + break; See above. > + case 'f': > + snprintf(out_file_filter, STRING_SIZE - 1, "/var/tmp/%s", optarg); > + break; > + case 'n': > + snprintf(out_file_nat, STRING_SIZE - 1, "/var/tmp/%s", optarg); > + break; > + case 'm': > + snprintf(out_file_mangle, STRING_SIZE - 1, "/var/tmp/%s", optarg); > + break; I agree with the argument parsing. We should simply expect one of -f, -n or -= m being passed and then only run the one command. A much better solution would be to not write the output to disk at all (saves= the whole sanitisation headache), but just output it to the console. That wa= y, we can parse it very easily in the existing perl CGI scripts because we do= not do anything else but reading the file back again; and you can do the sam= e in Zabbix. Is that an acceptable solution for you? Best, -Michael > + default: > + fprintf(stderr, "\nBad argument given.\n\ngetipstat [-x][-f ][-n ][-m ]\n"); > + exit(1); > + } > + } > + } > + > + // Generate ipstat files > + snprintf(command, STRING_SIZE - 1, "/sbin/iptables %s", params); > + cmdOutputToFile(command, out_file_filter); > + snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat %s", params); > + cmdOutputToFile(command, out_file_nat); > + snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle %s", params); > + cmdOutputToFile(command, out_file_mangle); > + snprintf(command, STRING_SIZE - 1, "chown nobody.nobody %s %s %s", out_fi= le_filter, out_file_nat, out_file_mangle); > + safe_system(command); > =09 > return 0; > } > --=20 > 2.31.1 >=20 >=20 > --=20 > Dit bericht is gescanned op virussen en andere gevaarlijke > inhoud door MailScanner en lijkt schoon te zijn. >=20 --===============4132422196150288959==--