Ubuntu
aide package

cron.daily/aide incorrectly handles certain filenames

Bug #658489 reported by David Duffey
254
Affects Status Importance Assigned to Milestone
aide (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

Binary package hint: aide

My "Daily AIDE report" reported the following:

-- snip --

The following software updates were detected and were filtered from this list:
coreutils

-- snip--

yet it did not filter the files in the package list like it was supposed to, for example, it still reported these to changes:

changed: /usr/share/man/man1/[.1.gz
changed: /usr/bin/[

Which caused /etc/cron.daily/aide to bomb with the following error:

-- snip --
Anacron job 'cron.daily' on cylon
/etc/cron.daily/aide:
grep: Unmatched [ or [^
grep: Unmatched [ or [^
-- snip --

As you can see, the aide shell script is reading the name of a file that include's a left square bracket and grep is trying to interpret that as a regular expression. I narrowed down the problem to two lines here:

/etc/cron.daily/aide:328: if [ -z "$(grep "^${BASH_REMATCH[2]}$" "$FILTERTMP3")" ]; then

and

/etc/cron.daily/aide:350: < "$NOISETMP2" grep -v "^\(changed\|removed\|added\): $NOISE" >> "$NOISETMP"

Those two lines should be fixed such that the bash variables escape any regular expressions before passed to grep.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: aide-common 0.13.1-11ubuntu2
ProcVersionSignature: Ubuntu 2.6.32-25.44-generic 2.6.32.21+drm33.7
Uname: Linux 2.6.32-25-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Mon Oct 11 10:50:37 2010
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429)
PackageArchitecture: all
ProcEnviron:
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: aide

Revision history for this message
David Duffey (dduffey) wrote :
Revision history for this message
David Duffey (dduffey) wrote :

grep has a -F option to search for a fixed string, which would work for line 328, but I am not sure how you would accomplish the same thing for line 350 which has a valid regular expression and then a filename that should be treated as a fixed string.

Revision history for this message
Kees Cook (kees) wrote : Re: cron.daily/aide will execute arbitrary regex

Thanks for this report! It seems like it is only a regex is under control. I don't immediately see a way that this could result in arbitrary code execution. It certain could be used to alter report results, and should be fixed, but I wanted to see if you had examples for how it could be used for arbitrary code execution.

summary: - cron.daily/aide will execute arbitrary code
+ cron.daily/aide will execute arbitrary regex
Changed in aide (Ubuntu):
status: New → Incomplete
assignee: nobody → Kees Cook (kees)
assignee: Kees Cook (kees) → Marc Deslauriers (mdeslaur)
status: Incomplete → Confirmed
importance: Undecided → Low
Revision history for this message
David Duffey (dduffey) wrote :

Kees, you are correct. I noticed the mistake in the title after I created the report, but didn't seem to be able to edit the title.

Thanks

Marc Deslauriers (mdeslaur)
summary: - cron.daily/aide will execute arbitrary regex
+ cron.daily/aide incorrectly handles certain filenames
visibility: private → public
Marc Deslauriers (mdeslaur)
Changed in aide (Ubuntu):
assignee: Marc Deslauriers (mdeslaur) → nobody
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.