Re: Escape sequences in /var/log/auth.log

Re: Escape sequences in /var/log/auth.log

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 2148 bytes --]

Hi,

This seems to be a bug in util-linux, not shadow, so I've added
util-linux@ to the thread.

The discussion started in the email below, and was later continued in
<https://github.com/shadow-maint/shadow/pull/960>.

Have a lovely day!
Alex

On Sat, Mar 02, 2024 at 11:33:16AM -0600, Serge E. Hallyn wrote:
> On Sat, Mar 02, 2024 at 11:34:07AM -0500, Skyler Ferrante (RIT Student) wrote:
> > Hi Serge,
> > 
> > I was playing around with some of the shadow-utils binaries and I
> > realized that an unprivileged user can set argv[0] to contain escape
> > sequences, and then cause it to be logged in /var/log/auth.log.
> > 
> > PoC
> > ```
> > #include<stdio.h>
> > #include<unistd.h>
> > int main(int argc, char** my_argv){
> >         char* prog = "/usr/bin/su";
> >         char* argv[] = {"\033[33mYellow", "root", NULL};
> >         char* envp[] = {NULL};
> > 
> >         execve(prog, argv, envp);
> >         printf("Failed to exec\n");
> > }
> > ```
> > Run the binary, and type an incorrect password for root. Now run `tail
> > /var/log/auth.log`. It should contain Yellow text. This can be used to
> > hide log contents (move the cursor/delete characters). Some terminals
> > also allow setting clipboard contents through escape sequences (my
> > terminal, windows-terminal, supports this).
> > 
> > It may be a good idea to refuse argv[0] if it contains binary data.
> > You could also prevent this bug by not allowing an attacker to choose
> > Prog (e.g. su could just use "su" as Prog).
> > 
> > If you don't think this is a bad enough security issue to hide, I can
> > post an issue on github. I would argue that you shouldn't cat auth.log
> > or view it from tail, but I know a lot of people do.
> > 
> > Cheers,
> > Skyler
> 
> Terminals can be a nuisance :)
> 
> I don't think we need to hide this issue, but of course definitely address
> it.  I'm Cc:ing the other maintainers in case they feel differently.
> 
> Did you want to send a PR to fix it?
> 
> Thanks,
> -serge

-- 
<https://www.alejandro-colomar.es/>
Looking for a remote C programming job at the moment.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Escape sequences in /var/log/auth.log

[Karel Zak]

On Sun, Mar 03, 2024 at 11:59:51AM +0100, Alejandro Colomar wrote:
> This seems to be a bug in util-linux, not shadow, so I've added
> util-linux@ to the thread.

Fixed. Thanks for your report.

    Karel


-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: Escape sequences in /var/log/auth.log

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 696 bytes --]

[TO += Skyler]

Hi Karel, Skyler,

On Mon, Mar 04, 2024 at 01:33:59PM +0100, Karel Zak wrote:
> On Sun, Mar 03, 2024 at 11:59:51AM +0100, Alejandro Colomar wrote:
> > This seems to be a bug in util-linux, not shadow, so I've added
> > util-linux@ to the thread.
> 
> Fixed. Thanks for your report.

Thank you.

Skyler, it's been fixed here:
<https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=677a3168b261f3289e282a02dfd85d7f37de0447>

Have a lovely day!
Alex

>     Karel
> 
> 
> -- 
>  Karel Zak  <kzak@redhat.com>
>  http://karelzak.blogspot.com

-- 
<https://www.alejandro-colomar.es/>
Looking for a remote C programming job at the moment.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]