Opened 11 years ago

Closed 11 years ago

#279 closed defect (fixed)

muroar_connect() allows connection to ~/.roar when $HOME is not set correctly

Reported by: ph3-der-loewe Owned by: ph3-der-loewe
Priority: major Milestone:
Component: µRoar Version: 0.1.10
Keywords: Cc:
Architecture: Compiler:
Difficulty: normal Kernel:
Operating System: Parent Tickets:
Patch attached: no Protocol: UNIX
Sound driver: Topic: Security


muroar_connect() allows to connect to ~/.roar even when $HOME is not set correctly.

The following errors are in the code:

  • A heading slash is enforced
  • When $HOME is not set it tries to connect to "/(null)/.roar"
  • When $HOME is too long to fit into the buffer it is truncated. This results in a security problem because an attacker may alter $HOME in a way letting µRoar connect to an existing server. This is mostly important for restricted environments like sudo, su, ssh when parts of the env is passed while other is rejected.
  • May connect to "/invalid" if snprintf() fails (very unlikely).

Some notes:

  • It supported to set the server via $ROAR_SERVER. This does not conflict with the statement above as it may be one of those rejected env variables.
  • No buffer overflow was found allowing remote code or data injection. This is why I set it only to "major" not "critical".


Change History (2)

comment:1 Changed 11 years ago by ph3-der-loewe

  • Owner set to ph3-der-loewe
  • Status changed from new to accepted

comment:2 Changed 11 years ago by ph3-der-loewe

  • Resolution set to fixed
  • Status changed from accepted to closed
  • Version changed from current to 0.1.10

This got fixed by checking $HOME to be not NULL and starting with slash. In addition the length is now checked. When there is an error ~/.roar is skipped.

Note: See TracTickets for help on using tickets.