Ubuntu
mapserver package

security: anyone can make mapserv read or write arbitrary files

  1. Hardy (8.04)
  2. Bug #398814
Bug #398814 reported by Stephane Chazelas
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mapserver (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Hardy
Fix Released
Undecided
Unassigned
Intrepid
Fix Released
Undecided
Unassigned
Jaunty
Fix Released
Undecided
Unassigned
Karmic
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: cgi-mapserver

/usr/lib/cgi-bin/mapserv takes as CGI parameter a map argument which is the path to any file with a .map extension on the server file system.

A google search on inurl:/cgi-bin/mapserv gives a few mapserv demo sites, querying for instance:

http://biometry.gis.umn.edu/cgi-bin/mapserv.exe?map=/boot/grub/device.map

returns:

msLoadMap(): Unknown identifier. Parsing error near (hd0):(line 1)

That "hd0" above gives a glimpse of the content of that map file.

Worse, one can cause mapserv to write data anywhere through the map_web CGI parameter, littering the server's file system, that space is never reclaimed AFAICS.

It can cause DOS by filling up system file systems that way.

I suspect that one with write access to some areas on the server could get some priviledge escalation by crafting some map file as well.

Looking at the code (mapserver-5.0.3 ubuntu source package), there's plenty of scope for buffer overflows, and I could easily get a crash with a large map CGI argument (adding a large /././././... somewhere in the path for instance). I suppose there's potential for running arbitrary code there as well.

Those shouldn't be CGI parameters, those paths should be defined by the system administrator, not the user! For instance through a /etc/mapserv/maps.d or something like that.

A work around for now, would be to use apparmor or selinux to only allow mapserv to open predefined map files, but that would not solve the buffer overflow problems. Or maybe a wrapper that checks the QUERY_STRING and POST data before passing it along to mapserv.

ProblemType: Bug
Architecture: i386
DistroRelease: Ubuntu 9.04
NonfreeKernelModules: nvidia
Package: cgi-mapserver 5.0.3-3build1
ProcEnviron:
 PATH=(custom, user)
 LANG=en_GB.UTF-8
 SHELL=/bin/zsh
SourcePackage: mapserver
Uname: Linux 2.6.30-rc6-custom i686

Revision history for this message
Stephane Chazelas (stephane-chazelas) wrote :
Revision history for this message
Stephane Chazelas (stephane-chazelas) wrote : Re: [Bug 398814] [NEW] security: anyone can make mapserv read or write arbitrary files

2009-07-13 14:27:30 -0000, Stephane Chazelas:
> *** This bug is a security vulnerability ***
>
> Private security bug reported:
>
> Binary package hint: cgi-mapserver

A few additional comments inline:

> /usr/lib/cgi-bin/mapserv takes as CGI parameter a map argument which is
> the path to any file with a .map extension on the server file system.

Due to another bug (probably wrong flags passed to the regexp
matching function), it doesn't have to be .map file. If one does
a:

ln -s / $'/tmp/.map\n'

on the server, then one can have mapserv read any file:

http://localhost/cgi-bin/mapserv?map=/tmp/.map%0A/etc/passwd

gives:

msLoadMap(): Unknown identifier. Parsing error near (root):(line
1)

Of course, if ones has the right to create files on the server,
he can probably do much worse with a real map file.

[...]
> Worse, one can cause mapserv to write data anywhere through the map_web
> CGI parameter, littering the server's file system, that space is never
> reclaimed AFAICS.

"anywhere" above would be "any directory the user running apache
has write access to", so temp or other spool/cache areas, but
also directories owned or writable by www-data as in poorly
designed web sites or web sites that have web services with an
"on-line" upgrade facility.

> It can cause DOS by filling up system file systems that way.

One with an account on the server can probably also get www-data
to overwrite any file it has write access to with a symlink by
the name of one of those png files mapserv creates.

> Looking at the code (mapserver-5.0.3 ubuntu source package), there's
> plenty of scope for buffer overflows, and I could easily get a crash
> with a large map CGI argument (adding a large /././././... somewhere in
> the path for instance). I suppose there's potential for running
> arbitrary code there as well.

I looks like new versions of mapserv has solved some of those
problem, but not the core one:

> Those shouldn't be CGI parameters, those paths should be defined by the
> system administrator, not the user! For instance through a
> /etc/mapserv/maps.d or something like that.

That is the ability of the client to specify those parameters.

> A work around for now, would be to use apparmor or selinux to only allow
> mapserv to open predefined map files, but that would not solve the
> buffer overflow problems. Or maybe a wrapper that checks the
> QUERY_STRING and POST data before passing it along to mapserv.

A chroot jail could also be a solution.

See also http://trac.osgeo.org/mapserver/ticket/1836

regards,
Stephane

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. This package is in universe and is community supported. I have requested information from mapserver developers for submitting a security bug, and will forward this bug to them when I receive a response.

Changed in mapserver (Ubuntu):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This bug has now been forwarded to the upstream security contact.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Per upstream, the .map issue is CVE-2009-0842. Fixed in 5.2.2-1. See:
http://trac.osgeo.org/mapserver/ticket/2941
http://trac.osgeo.org/mapserver/changeset/8805

Per upstream, the other issue should be fixed in the 5.4 series. I've requested a CVE and the bug reference.

visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The second issue is:
http://trac.osgeo.org/mapserver/ticket/1836

According to that bug, this functionality has been removed in mapserver 5.4.

Changed in mapserver (Ubuntu Dapper):
status: New → Confirmed
Changed in mapserver (Ubuntu Hardy):
status: New → Confirmed
Changed in mapserver (Ubuntu Intrepid):
status: New → Confirmed
Changed in mapserver (Ubuntu Jaunty):
status: New → Confirmed
Revision history for this message
Alan Boudreault (aboudreault) wrote :
Changed in mapserver (Ubuntu Intrepid):
status: Confirmed → In Progress
Revision history for this message
Alan Boudreault (aboudreault) wrote :

I would like to be informed as soon as someone check the intrepid patch. If everything is ok, will work on the patch of a few other distributions.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Alan,

Sorry for the delay on this. Your submitted patch for Intrepid was not marked as a patch and our automated scripting didn't show it in our list of patches to review. I fixed that.

The patch for Intrepid looks great and I'm going to go ahead and upload it to the security PPA. Can you detail the testing performed? Feel free to upload for the other releases and indicate the testing performed. Thanks for all your hard work!

Changed in mapserver (Ubuntu Intrepid):
status: In Progress → Fix Committed
Revision history for this message
Alan Boudreault (aboudreault) wrote :
Changed in mapserver (Ubuntu Hardy):
status: Confirmed → In Progress
Revision history for this message
Alan Boudreault (aboudreault) wrote :
Changed in mapserver (Ubuntu Jaunty):
status: Confirmed → In Progress
Revision history for this message
Alan Boudreault (aboudreault) wrote :

For Karmic, I've created a bug to sync the source package mapserver with debian unstable. The version 5.4.2 fixes all security bugs.

See: https://bugs.launchpad.net/ubuntu/+source/mapserver/+bug/415413

Jamie Strandboge (jdstrand)
Changed in mapserver (Ubuntu Karmic):
status: Confirmed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for you patches! They look good and I have uploaded them for building. Can you comment on the testing performed for hardy, intrepid and jaunty? Thanks!

Changed in mapserver (Ubuntu Hardy):
status: In Progress → Fix Committed
Changed in mapserver (Ubuntu Jaunty):
status: In Progress → Fix Committed
Revision history for this message
Alan Boudreault (aboudreault) wrote :

For the security patches, they have been tested by the mapserver devs before the changes in branches. I've made a few test on my side locally. I've not really tested the patches for hardy/intrepid/jaunty because they are almost identical to those I've made for debian, which the major issues have been tested.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mapserver - 5.0.3-3ubuntu0.1

---------------
mapserver (5.0.3-3ubuntu0.1) jaunty-security; urgency=low

  * SECURITY UPDATE: stack-based buffer overflow (LP: #398814)
    - debian/patches/01_CVE-2009-0839.dpatch: Apply a regex pattern
      to limit an id's value.
    - CVE-2009-0839
  * SECURITY UPDATE: heap-based buffer underflow (LP: #398814)
    - debian/patches/02_CVE-2009-840-CVE-2009-2281.dpatch: Add validation for
      a post request and the content-length.
    - CVE-2009-0840, CVE-2009-2281
  * SECURITY UPDATE: relative file path writing (LP: #398814)
    - debian/patches/03_CVE-2009-0841.dpatch: Limit the buffer size.
    - CVE-2009-0841
  * SECURITY UPDATE: file data leakage (LP: #398814)
    - debian/patches/04_CVE-2009-0842.dpatch: Set MAP/SYMBOLSET tag as mandatory.
    - CVE-2009-0842
  * SECURITY UPDATE: file existence leakage (LP: #398814)
    - debian/patches/05_CVE-2009-0843.dpatch: Add regex validation for the file extension.
    - CVE-2009-0843
  * SECURITY UPDATE: paths specified in url vulnerabilities.
    - debian/patches/06_urlpath.dpatch: Disable the variable overwriting from URL of a
      few variables.
    - [http://trac.osgeo.org/mapserver/ticket/1836]

 -- Alan Boudreault <email address hidden> Tue, 18 Aug 2009 10:47:46 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mapserver - 5.0.3-2ubuntu0.1

---------------
mapserver (5.0.3-2ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: stack-based buffer overflow (LP: #398814)
    - debian/patches/01_CVE-2009-0839.dpatch: Apply a regex pattern
      to limit an id's value.
    - CVE-2009-0839
  * SECURITY UPDATE: heap-based buffer underflow (LP: #398814)
    - debian/patches/02_CVE-2009-840-CVE-2009-2281.dpatch: Add validation for
      a post request and the content-length.
    - CVE-2009-0840, CVE-2009-2281
  * SECURITY UPDATE: relative file path writing (LP: #398814)
    - debian/patches/03_CVE-2009-0841.dpatch: Limit the buffer size.
    - CVE-2009-0841
  * SECURITY UPDATE: file data leakage (LP: #398814)
    - debian/patches/04_CVE-2009-0842.dpatch: Set MAP/SYMBOLSET tag as mandatory.
    - CVE-2009-0842
  * SECURITY UPDATE: file existence leakage (LP: #398814)
    - debian/patches/05_CVE-2009-0843.dpatch: Add regex validation for the file extension.
    - CVE-2009-0843
  * SECURITY UPDATE: paths specified in url vulnerabilities.
    - debian/patches/06_urlpath.dpatch: Disable the variable overwriting from URL of a
      few variables.
    - [http://trac.osgeo.org/mapserver/ticket/1836]

 -- Alan Boudreault <email address hidden> Thu, 23 Jul 2009 08:53:05 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mapserver - 5.0.0-3ubuntu0.1

---------------
mapserver (5.0.0-3ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: stack-based buffer overflow (LP: #398814)
    - debian/patches/01_CVE-2009-0839.dpatch: Apply a regex pattern
      to limit an id's value.
    - CVE-2009-0839
  * SECURITY UPDATE: heap-based buffer underflow (LP: #398814)
    - debian/patches/02_CVE-2009-840-CVE-2009-2281.dpatch: Add validation for
      a post request and the content-length.
    - CVE-2009-0840, CVE-2009-2281
  * SECURITY UPDATE: relative file path writing (LP: #398814)
    - debian/patches/03_CVE-2009-0841.dpatch: Limit the buffer size.
    - CVE-2009-0841
  * SECURITY UPDATE: file data leakage (LP: #398814)
    - debian/patches/04_CVE-2009-0842.dpatch: Set MAP/SYMBOLSET tag as mandatory.
    - CVE-2009-0842
  * SECURITY UPDATE: file existence leakage (LP: #398814)
    - debian/patches/05_CVE-2009-0843.dpatch: Add regex validation for the file extension.
    - CVE-2009-0843
  * SECURITY UPDATE: paths specified in url vulnerabilities.
    - debian/patches/06_urlpath.dpatch: Disable the variable overwriting from URL of a
      few variables.
    - [http://trac.osgeo.org/mapserver/ticket/1836]

 -- Alan Boudreault <email address hidden> Tue, 18 Aug 2009 09:42:23 -0400

Changed in mapserver (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in mapserver (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Changed in mapserver (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

tags: added: jaunty
Changed in mapserver (Ubuntu Dapper):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.