http direct to terminals?

Bug #1649352 reported by Seth Arnold on 2016-12-12
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
base-files (Ubuntu)
Critical
Dustin Kirkland 

Bug Description

Hi Dustin,

Some recent changes introduced what looks to be a serious problem:

http://launchpadlibrarian.net/296647523/base-files_9.6ubuntu7_9.6ubuntu8.diff.gz

-SERVER="https://motd.ubuntu.com"
+# White space separated list of 0 to many news services
+SERVER="http://motd.ubuntu.com"
[...]
+ if curl --connect-timeout "$WAIT" --max-time "$WAIT" -A "$USER_AGENT" -o- "$s" >"$NEWS" 2>"$ERR"; then
+ echo
+ # At most, 2 lines of at most 80 characters
+ cat "$NEWS" | tail -n 2 | cut -c -80

This allows any network man-in-the-middle attacker, DNS response forger, or BGP forger, to write 160 raw bytes directly to terminals.

The previous version wasn't good (open for abuse by anyone who could trick one of the myriad x.509 Certificate Authorities to mis-issue a certificate) but this version is open for abuse by significantly more attackers.

While most terminals are reasonably safe against outright maliciousness this has been a recurring exploitation theme for twenty years, and even what is "safe" for them to display could be wildly confusing to users unfamiliar with maliciously controlled terminals. (And users have wide tastes in terminals, some are fairly brittle.)

cat(1) does not do any filtering for 'safe' display of arbitrary inputs. less(1) does, assuming -r is not in LESS environment variable or the less(1) command line. If you wish to keep the pipeline, perhaps tr(1)'s -d flag could be useful.

On a related note, is there a reason why the motd.ubuntu.com server can't do HTTPS?

Thanks

Dimitri John Ledkov (xnox) wrote :

This looks a lot like a call-home backdoor.

Changed in base-files (Ubuntu):
importance: Undecided → Critical
status: New → Confirmed
Changed in base-files (Ubuntu):
assignee: nobody → Dustin Kirkland  (kirkland)
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package base-files - 9.6ubuntu9

---------------
base-files (9.6ubuntu9) zesty; urgency=medium

  * Fix LP: #1649352
    - use https://motd.ubuntu.com in the default file
    - enforce that every news server must be https
    - take at most the first 10 lines, and first 80 chars per line
    - remove all control characters (except newline)

 -- Dustin Kirkland <email address hidden> Sat, 17 Dec 2016 09:19:53 -0600

Changed in base-files (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers