|
Vulnerability Global Affected Global-3.55 (NetBSD) Description Following is based on a NetBSD Security Advisory 2000-014. When using the CGI interface of the Global v3.55 package, it's possible to execute random commands. global is a source-code tagging system for indexing and searching large bodies of source code. The exploit of this is possible due to insufficient handling of quoted or escaped characters in this version, and command line arguments that are then handed off to shell commands. The global port, versions 3.5 through to 3.55, contains a vulnerability in the CGI script generated by the htags utility which allows a remote attacker to execute code on the local system as the user running the script, typically user 'nobody' in most installations. If the 'htags -f' command is used to generate a CGI script which is then installed under a webserver, then remote users may execute arbitrary commands on the local system as the user which runs the CGI script. If you have not chosen to install the global port/package, or you have not used the 'htags -f' command to produce a CGI script, then your system is not vulnerable to this problem. The problem was reported in NetBSD PR 11165 by the author of global, Shigio Yamaguchi. The package updated by as a collaboration of Hubert Feyrer and David Brownlee. Hubert Feyrer also drafted this security advisory. Solution To find out if you have the problematic version of the global package installed, type pkg_info -e global If this displays "global-3.55" or below, you are vulnerable. If this displays "global-4.0.1" or higher, your system is not vulnerable either. If this displays no output at all, it means you don't have the "global" package installed, and your system is not vulnerable. If your system is vulnerable, the best solution is to upgrade to the latest version in pkgsrc, which is 4.0.1 as of this writing. There are precompiled binary packages of global for some NetBSD ports available from: ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/devel/global/README.html If no precompiled binary is available for your platform, you can build your own from source. To render the vulnerability unexploitable, modify the file 'HTML/cgi-bin/global.cgi' around line 35, and change the generated HTML from: $pattern =~ s/'//g; # to shut security hole to $pattern =~ s/"//g; # to shut security hole For FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/global-4.0.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/global-4.0.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/global-4.0.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/global-4.0.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/global-4.0.1.tgz