On 7/24/2019 6:54 AM, Axel Beckert wrote:
Hi,
On Tue, Jul 23, 2019 at 08:57:49AM -0700, Japheth Cleaver wrote:
Although some of these overflows are not exploitable, others, including an XSS vulnerability are. [... ? CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473, ? CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486 Can either you or Graham get a bit more into the details regarding the impact of any of these vulnerabilities ? or point out a posting where they are explained in more detail? So far I wasn't able to dig up any posting or similar, e.g. by the Cambridge CSIRT or Graham.
Currently the severity as well as the actual impact of these issues is quite unclear ? also because the CVE-IDs all still say "RESERVED".
Regards, Axel
CSIRT may still have a write-up pending on these, but it is believed that the only impact are segfaults when passed in invalid/overflow input. This is typically a hostsvc being parsed and assigned to a PATH_MAX-sized variable via sprintf rather than snprintf. The buffer overflow occurs, but it is not being passed unprocessed to a shell. In some cases passed parameters are passed through html quoting, thereby exceeding intended size through " " -> " " inflation, which leads to a buffer overflow when (unsafely) assigning to error output.
There was an initial concern about unparsed input being handed to xymongen during report generation, however this is passed as a single execv argument rather than via shell processing. This could lead to erroneous xymongen resource use by anyone with access to /xymon-seccgi/report.sh, however the same could be said for any (legitimate) access here.
The XSS (CVE-2019-13274) is trivially exploitable by attempting to pass javascript through the db parameter to csvinfo.sh.
Beyond the CVE's, we wanted to try to remove a large number of sprintf uses (especially in the web and lib code) to help potentially reduce future issues.
Regards, -jc