I'm asking about the author of the email reproduced (without permission) below. The simple errors described there have been fixed, with corrected code for the two ctan programs available at http://www.forkosh.com/mimetex.zip http://www.forkosh.com/mathtex.zip But it's not yet submitted to ctan as they're trivial errors very hard to trip over and hardly worth the administrative overhead (for me or for ctan). However, they are errors worth my time to fix, and somebody (see cc's on email) must have taken a hard look at the programs to find them. For that I'm grateful.
What does bother me, however, is what seems to me like the pompous, supercilious attitude of self-proclaimed net police who write email to total strangers containing stuff like IMPORTANT: Please let us know if you have any questions/concerns, we would ask you not to disclose any of this information publicly until we have confirmed an embargo date for these issues. (please let me know if you are not familiar with this practice). Well, I'm not familiar with this practice! Embargo date? Who does this guy think he is??? -- John Forkosh ( mailto: j...@f.com where j=john and f=forkosh )
Here's the entire email...
From lc...@ocert.org Mon May 25 14:26:48 2009 Date: Mon, 25 May 2009 19:26:46 +0100 From: Andrea Barisani <lc...@ocert.org> To: j...@forkosh.com Cc: incide...@ocert.org, Chris Evans <cev...@google.com>, Damien Miller <d...@google.com> Subject: [oCERT] mimetex and mathtex security vulnerabilities
Hi John,
oCERT received two vulnerability reports about mathex and mimetex. We can put you in contact with reporters and provide you with more detail if needed.
We would like to know if you are willing to provide patches and coordinate with us an advisory release as well as pre-notification to vendors and possibly US-CERT considering the large amount of website which uses your cgis.
IMPORTANT: Please let us know if you have any questions/concerns, we would ask you not to disclose any of this information publicly until we have confirmed an embargo date for these issues. (please let me know if you are not familiar with this practice).
I'm ccing the reporters for further discussion.
Thanks a lot!
Report 1:
There appears to rampant strcpy() use, many usages of which seem vulnerable. A simple example TeX expression that triggers one and therefore crashes, is:
In MathTeX picking one of the several arguments that is supplied to subprocesses:
920 if ( getdirective(expression,"\\density",1,1,density) /*look for \density*/ 921 == NULL ) /* no \density directive */ 922 getdirective(expression,"\\dpi",1,1,density); /* so try \dpi instead */ ... 1081 char convertargs[1024] = /* args/switches for convert */ 1082 " -density %%dpi%% -gamma %%gamma%%" 1083 /*" -border 0% -fuzz 2%"*/ 1084 " -trim -transparent \"#FFFFFF\" "; ... 1266 /* --- replace %%dpi%% in convert arg template with actual density --- */ 1267 strreplace(convertargs,"%%dpi%%",density,1,0); ... 1277 strcat(command,convertargs); /* add convert switches */ ... 1284 sys_stat = system(command); /* execute system(convert) command */
The getdirective() function extracts a directive from the HTTP query string, taking untrusted input with no filtering.
There are also stack-based overflows caused by operations on convertargs, command and pretty much every other string.
Finally, and I haven't bothered to confirm this given the above, it looks like its temp file handling is insecure too: it uses deterministic paths and does not open with O_CREAT|O_EXCL (in fact, it just uses fopen).
-- Andrea Barisani | Founder & Project Coordinator oCERT | Open Source Computer Emergency Response Team
<lc...@ocert.org> http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"
JohnF <j...@please.see.sig.for.email.com> writes: >I'm asking about the author of the email reproduced (without >permission) below. The simple errors described there have been >fixed, with corrected code for the two ctan programs available at > http://www.forkosh.com/mimetex.zip > http://www.forkosh.com/mathtex.zip >But it's not yet submitted to ctan as they're trivial errors very >hard to trip over and hardly worth the administrative overhead (for >me or for ctan). However, they are errors worth my time to fix, >and somebody (see cc's on email) must have taken a hard look >at the programs to find them. For that I'm grateful.
>What does bother me, however, is what seems to me like the >pompous, supercilious attitude of self-proclaimed net police >who write email to total strangers containing stuff like > IMPORTANT: Please let us know if you have any questions/concerns, > we would ask you not to disclose any of this information publicly > until we have confirmed an embargo date for these issues. (please > let me know if you are not familiar with this practice). >Well, I'm not familiar with this practice! >Embargo date? Who does this guy think he is???
someone in a cert team somewhere, presumably.
their business is finding vulnerabilities in software, that could cause vulnerabilities if installed on a web server. unchecked strcopy, iirc, was the ultimate source of the morris worm so it's the sort of thing these people look for.
it's irrelevant whether it's difficult to "trip over the problem"; what's relevant is whether it's possible to use the problem to construct an attack on the server that offers the program.
(we get personal service from our local cert team, because we know all of the members well; if we get messages from any other -- even if it's from the isp's team -- they tend to be pretty impersonal. if you run a service of any sort, you're likely to attract messages from cert teams all over the place. we do.) -- Robin Fairbairns, Cambridge
Robin Fairbairns <r...@cl.cam.ac.uk> wrote: > JohnF <j...@please.see.sig.for.email.com> writes: >>I'm asking about the author of the email reproduced (without >>permission) below. The simple errors described there have been >>fixed, with corrected code for the two ctan programs available at >> http://www.forkosh.com/mimetex.zip >> http://www.forkosh.com/mathtex.zip >>But it's not yet submitted to ctan as they're trivial errors very >>hard to trip over and hardly worth the administrative overhead (for >>me or for ctan). However, they are errors worth my time to fix, >>and somebody (see cc's on email) must have taken a hard look >>at the programs to find them. For that I'm grateful.
>>What does bother me, however, is what seems to me like the >>pompous, supercilious attitude of self-proclaimed net police >>who write email to total strangers containing stuff like >> IMPORTANT: Please let us know if you have any questions/concerns, >> we would ask you not to disclose any of this information publicly >> until we have confirmed an embargo date for these issues. (please >> let me know if you are not familiar with this practice). >>Well, I'm not familiar with this practice! >>Embargo date? Who does this guy think he is???
> someone in a cert team somewhere, presumably.
> their business is finding vulnerabilities in software, that could > cause vulnerabilities if installed on a web server. unchecked > strcpy, iirc, was the ultimate source of the morris worm so it's the > sort of thing these people look for.
> it's irrelevant whether it's difficult to "trip over the problem"; > what's relevant is whether it's possible to use the problem to > construct an attack on the server that offers the program.
> (we get personal service from our local cert team, because we know all > of the members well; if we get messages from any other -- even if it's > from the isp's team -- they tend to be pretty impersonal. if you run > a service of any sort, you're likely to attract messages from cert > teams all over the place. we do.)
Thanks, Robin. I agree that can be a useful community service, and maybe I overreacted a little. But I get emails from people with requests or pointing out errors all the time, none of whom have felt the need to use words like "embargo" until now.
Anyway, I've looked over the remaining 91 occurrences of strcpy in mimetex.c, which are all pretty benign, comprising statements like strcpy(subexpr,"{"); /* start off with opening { */ or like strcpy(expression,delim+1); /* shift name= out of expression */ where delim is already a pointer into expression. Nevertheless, although mimetex.c isn't large, with 15K lines of code you're almost guaranteed that some errors remain somewheres.
As for mathtex.c, I've fixed the explicit vulnerability that was pointed out. But anyone using it should realize it's essentially a script written in C that just runs latex and friends. So it's going to remain as exploitable as all the similar script cgi's that are out there. I'm not sure there's much I can do about that.
So far (knock on wood), however, I haven't received any emails from people who think their systems have been hacked into through either mimetex or mathtex. Though more people use these programs than I'd have originally guessed, it's still a vanishingly small user base in web terms. And I'd guess that seriously dangerous hackers/crackers might focus their efforts on jucier targets. -- John Forkosh ( mailto: j...@f.com where j=john and f=forkosh )
JohnF <j...@please.see.sig.for.email.com> writes: >Robin Fairbairns <r...@cl.cam.ac.uk> wrote: >> JohnF <j...@please.see.sig.for.email.com> writes: >>>Embargo date? Who does this guy think he is???
>> someone in a cert team somewhere, presumably.
>Thanks, Robin. I agree that can be a useful community service, >and maybe I overreacted a little. But I get emails from people >with requests or pointing out errors all the time, none of whom >have felt the need to use words like "embargo" until now.
cert teams embargo details of problems that have been reported to them so that the supplier of the software has time to put it right.
why do you think m$ releases can be so precisely scheduled? -- because the cert people have embargoed their information. once the patches have propagated, cert will release the information.
>As for mathtex.c, I've fixed the explicit vulnerability that was >pointed out. But anyone using it should realize it's essentially >a script written in C that just runs latex and friends. So it's >going to remain as exploitable as all the similar script cgi's >that are out there. I'm not sure there's much I can do about that.
>So far (knock on wood), however, I haven't received any emails >from people who think their systems have been hacked into >through either mimetex or mathtex. Though more people use these >programs than I'd have originally guessed, it's still a vanishingly >small user base in web terms. And I'd guess that seriously >dangerous hackers/crackers might focus their efforts on jucier >targets.
any website that's capable of doing anything other than just serving pages is a worthy target of attack by the slime who do these things. (and sometimes they even have an agenda related to nothing more than the pages that are served.) -- Robin Fairbairns, Cambridge
Robin Fairbairns <r...@cl.cam.ac.uk> wrote: > JohnF <j...@please.see.sig.for.email.com> writes: >> Thanks, Robin. I agree that can be a useful community service, >> and maybe I overreacted a little. But I get emails from people >> with requests or pointing out errors all the time, none of whom >> have felt the need to use words like "embargo" until now.
> cert teams embargo details of problems that have been reported to > them so that the supplier of the software has time to put it right.
> why do you think m$ releases can be so precisely scheduled? -- because > the cert people have embargoed their information. once the patches > have propagated, cert will release the information.
Oops, looks like I misinterpreted their meaning. But it wasn't too far-fetched a misinterpretation given their choice of vocabulary and grammar (especially on the internet, routinely peppered with more gratuitous obnoxiousness than one might hope for).
>> As for mathtex.c, I've fixed the explicit vulnerability that was >> pointed out. But anyone using it should realize it's essentially >> a script written in C that just runs latex and friends. So it's >> going to remain as exploitable as all the similar script cgi's >> that are out there. I'm not sure there's much I can do about that.
>> So far (knock on wood), however, I haven't received any emails >> from people who think their systems have been hacked into >> through either mimetex or mathtex. Though more people use these >> programs than I'd have originally guessed, it's still a vanishingly >> small user base in web terms. And I'd guess that seriously >> dangerous hackers/crackers might focus their efforts on jucier >> targets.
> any website that's capable of doing anything other than just serving > pages is a worthy target of attack by the slime who do these things. > (and sometimes they even have an agenda related to nothing more than > the pages that are served.)
Okay, well, I've put current corrected copies of mimetex.zip and mathtex.zip on ftp.tex.ac.uk/incoming, along with the requisite emails to ctan.dante.de. Sorry for the extra work. (P.S. You're welcome for the upload.:) And, to the extent that security remains an ongoing issue, perhaps users of either program should be advised that, while I am an experienced C programmer, I'm no security expert. And that leads to the open question of how much of one's time should be spent trying to do good things, versus trying to stop other people from doing bad things. (I'm not liking today's answer to that question, which perhaps partly explains my initial bad reaction to ocert's email.) -- John Forkosh ( mailto: j...@f.com where j=john and f=forkosh )
> And that leads to the open question of how much of one's time > should be spent trying to do good things, versus trying to stop > other people from doing bad things. (I'm not liking today's answer > to that question, which perhaps partly explains my initial bad > reaction to ocert's email.)
It is really a matter of *whose* time is spent. If no security measures are taken someone else will -- inevitably -- have to clean up the mess when some script kiddie had fun. No, I don't like it either, but then I would also like to live in a world where I did not need to lock my car either.
/Par
-- Par use...@hunter-gatherer.org "First they came for the verbs, and I said nothing because verbing weirds language. Then they arrival for the nouns, and I speech nothing because I no verbs." -- Peter Ellis on afp
