Who is this guy...?
JohnF
permission) below. The simple errors described there have been
fixed, with corrected code for the two ctan programs available at
http://www.forkosh.com/mimetex.zip
http://www.forkosh.com/mathtex.zip
But it's not yet submitted to ctan as they're trivial errors very
hard to trip over and hardly worth the administrative overhead (for
me or for ctan). However, they are errors worth my time to fix,
and somebody (see cc's on email) must have taken a hard look
at the programs to find them. For that I'm grateful.
What does bother me, however, is what seems to me like the
pompous, supercilious attitude of self-proclaimed net police
who write email to total strangers containing stuff like
IMPORTANT: Please let us know if you have any questions/concerns,
we would ask you not to disclose any of this information publicly
until we have confirmed an embargo date for these issues. (please
let me know if you are not familiar with this practice).
Well, I'm not familiar with this practice!
Embargo date? Who does this guy think he is???
--
John Forkosh ( mailto: j...@f.com where j=john and f=forkosh )
Here's the entire email...
From lc...@ocert.org Mon May 25 14:26:48 2009
Date: Mon, 25 May 2009 19:26:46 +0100
From: Andrea Barisani <lc...@ocert.org>
To: jo...@forkosh.com
Cc: inci...@ocert.org,
Chris Evans <cev...@google.com>,
Damien Miller <d...@google.com>
Subject: [oCERT] mimetex and mathtex security vulnerabilities
Hi John,
oCERT received two vulnerability reports about mathex and mimetex. We can put
you in contact with reporters and provide you with more detail if needed.
We would like to know if you are willing to provide patches and coordinate
with us an advisory release as well as pre-notification to vendors and
possibly US-CERT considering the large amount of website which uses your
cgis.
IMPORTANT: Please let us know if you have any questions/concerns, we would
ask you not to disclose any of this information publicly until we have
confirmed an embargo date for these issues. (please let me know if you are
not familiar with this practice).
I'm ccing the reporters for further discussion.
Thanks a lot!
Report 1:
There appears to rampant strcpy() use, many usages of which seem vulnerable.
A simple example TeX expression that triggers one and therefore crashes, is:
\picture(12,34){(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$10,10){testing}}
The code flaw seems to be in rastpicture():
char pream[64];
...
strcpy(pream,putexpr); } /* copy leading preamble from put */
No bounds checking. Perhaps a wholesale conversion of strcpy() -> strncpy()
(remembering it does not null terminate) is in order?
Poking around on Google image search, some significant web sites would seem
to embed a copy of mimetex.cgi and therefore are at risk:
http://images.google.com/images?hl=en&q=inurl%3Abin%2Fmimetex&btnG=Search+Images&gbv=2
...
http://physics.harvard.edu/cgi-bin/mimetex.cgi?f(x)=
\int_{-\infty}^xe^{-t^2}dt
https://richarddawkins.net/cgi-bin/mimetex.cgi?\int_{10}^{13} x dx
http://www.sciforums.com/cgi-bin/mimetex.cgi?\int \limits_a^b 4x^2~dx
http://bioeng.washington.edu/cgi-bin/mimetex.cgi? \huge r2_o = r_{io} +
h_o
Report 2:
In MathTeX picking one of the several arguments that is supplied to
subprocesses:
920 if ( getdirective(expression,"\\density",1,1,density) /*look for
\density*/
921 == NULL ) /* no \density directive */
922 getdirective(expression,"\\dpi",1,1,density); /* so try \dpi
instead */
...
1081 char convertargs[1024] = /* args/switches for convert
*/
1082 " -density %%dpi%% -gamma %%gamma%%"
1083 /*" -border 0% -fuzz 2%"*/
1084 " -trim -transparent \"#FFFFFF\" ";
...
1266 /* --- replace %%dpi%% in convert arg template with actual density
--- */
1267 strreplace(convertargs,"%%dpi%%",density,1,0);
...
1277 strcat(command,convertargs); /* add convert switches */
...
1284 sys_stat = system(command); /* execute system(convert)
command */
The getdirective() function extracts a directive from the HTTP query string,
taking untrusted input with no filtering.
There are also stack-based overflows caused by operations on convertargs,
command and pretty much every other string.
Finally, and I haven't bothered to confirm this given the above, it looks
like its temp file handling is insecure too: it uses deterministic paths and
does not open with O_CREAT|O_EXCL (in fact, it just uses fopen).
--
Andrea Barisani | Founder & Project Coordinator
oCERT | Open Source Computer Emergency Response Team
<lc...@ocert.org> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"
Robin Fairbairns
>I'm asking about the author of the email reproduced (without
>permission) below. The simple errors described there have been
>fixed, with corrected code for the two ctan programs available at
> http://www.forkosh.com/mimetex.zip
> http://www.forkosh.com/mathtex.zip
>But it's not yet submitted to ctan as they're trivial errors very
>hard to trip over and hardly worth the administrative overhead (for
>me or for ctan). However, they are errors worth my time to fix,
>and somebody (see cc's on email) must have taken a hard look
>at the programs to find them. For that I'm grateful.
>
>What does bother me, however, is what seems to me like the
>pompous, supercilious attitude of self-proclaimed net police
>who write email to total strangers containing stuff like
> IMPORTANT: Please let us know if you have any questions/concerns,
> we would ask you not to disclose any of this information publicly
> until we have confirmed an embargo date for these issues. (please
> let me know if you are not familiar with this practice).
>Well, I'm not familiar with this practice!
>Embargo date? Who does this guy think he is???
someone in a cert team somewhere, presumably.
their business is finding vulnerabilities in software, that could
cause vulnerabilities if installed on a web server. unchecked
strcopy, iirc, was the ultimate source of the morris worm so it's the
sort of thing these people look for.
it's irrelevant whether it's difficult to "trip over the problem";
what's relevant is whether it's possible to use the problem to
construct an attack on the server that offers the program.
(we get personal service from our local cert team, because we know all
of the members well; if we get messages from any other -- even if it's
from the isp's team -- they tend to be pretty impersonal. if you run
a service of any sort, you're likely to attract messages from cert
teams all over the place. we do.)
--
Robin Fairbairns, Cambridge
JohnF
> JohnF <jo...@please.see.sig.for.email.com> writes:
>>I'm asking about the author of the email reproduced (without
>>permission) below. The simple errors described there have been
>>fixed, with corrected code for the two ctan programs available at
>> http://www.forkosh.com/mimetex.zip
>> http://www.forkosh.com/mathtex.zip
>>But it's not yet submitted to ctan as they're trivial errors very
>>hard to trip over and hardly worth the administrative overhead (for
>>me or for ctan). However, they are errors worth my time to fix,
>>and somebody (see cc's on email) must have taken a hard look
>>at the programs to find them. For that I'm grateful.
>>
>>What does bother me, however, is what seems to me like the
>>pompous, supercilious attitude of self-proclaimed net police
>>who write email to total strangers containing stuff like
>> IMPORTANT: Please let us know if you have any questions/concerns,
>> we would ask you not to disclose any of this information publicly
>> until we have confirmed an embargo date for these issues. (please
>> let me know if you are not familiar with this practice).
>>Well, I'm not familiar with this practice!
>>Embargo date? Who does this guy think he is???
>
> someone in a cert team somewhere, presumably.
>
> their business is finding vulnerabilities in software, that could
> cause vulnerabilities if installed on a web server. unchecked
> sort of thing these people look for.
>
> it's irrelevant whether it's difficult to "trip over the problem";
> what's relevant is whether it's possible to use the problem to
> construct an attack on the server that offers the program.
>
> (we get personal service from our local cert team, because we know all
> of the members well; if we get messages from any other -- even if it's
> from the isp's team -- they tend to be pretty impersonal. if you run
> a service of any sort, you're likely to attract messages from cert
> teams all over the place. we do.)
Thanks, Robin. I agree that can be a useful community service,
and maybe I overreacted a little. But I get emails from people
with requests or pointing out errors all the time, none of whom
have felt the need to use words like "embargo" until now.
Anyway, I've looked over the remaining 91 occurrences of strcpy
in mimetex.c, which are all pretty benign, comprising statements
like
strcpy(subexpr,"{"); /* start off with opening { */
or like
strcpy(expression,delim+1); /* shift name= out of expression */
where delim is already a pointer into expression. Nevertheless,
although mimetex.c isn't large, with 15K lines of code you're almost
guaranteed that some errors remain somewheres.
As for mathtex.c, I've fixed the explicit vulnerability that was
pointed out. But anyone using it should realize it's essentially
a script written in C that just runs latex and friends. So it's
going to remain as exploitable as all the similar script cgi's
that are out there. I'm not sure there's much I can do about that.
So far (knock on wood), however, I haven't received any emails
from people who think their systems have been hacked into
through either mimetex or mathtex. Though more people use these
programs than I'd have originally guessed, it's still a vanishingly
small user base in web terms. And I'd guess that seriously
dangerous hackers/crackers might focus their efforts on jucier
targets.
Robin Fairbairns
>Robin Fairbairns <rf...@cl.cam.ac.uk> wrote:
>> JohnF <jo...@please.see.sig.for.email.com> writes:
>>>Embargo date? Who does this guy think he is???
>>
>> someone in a cert team somewhere, presumably.
>
>and maybe I overreacted a little. But I get emails from people
>with requests or pointing out errors all the time, none of whom
>have felt the need to use words like "embargo" until now.
cert teams embargo details of problems that have been reported to them
so that the supplier of the software has time to put it right.
why do you think m$ releases can be so precisely scheduled? -- because
the cert people have embargoed their information. once the patches
have propagated, cert will release the information.
>As for mathtex.c, I've fixed the explicit vulnerability that was
>pointed out. But anyone using it should realize it's essentially
>a script written in C that just runs latex and friends. So it's
>going to remain as exploitable as all the similar script cgi's
>that are out there. I'm not sure there's much I can do about that.
>
>So far (knock on wood), however, I haven't received any emails
>from people who think their systems have been hacked into
>through either mimetex or mathtex. Though more people use these
>programs than I'd have originally guessed, it's still a vanishingly
>small user base in web terms. And I'd guess that seriously
>dangerous hackers/crackers might focus their efforts on jucier
>targets.
any website that's capable of doing anything other than just serving
pages is a worthy target of attack by the slime who do these things.
(and sometimes they even have an agenda related to nothing more than
the pages that are served.)
--
Robin Fairbairns, Cambridge
JohnF
> JohnF <jo...@please.see.sig.for.email.com> writes:
>> Thanks, Robin. I agree that can be a useful community service,
>> and maybe I overreacted a little. But I get emails from people
>> with requests or pointing out errors all the time, none of whom
>> have felt the need to use words like "embargo" until now.
>
> cert teams embargo details of problems that have been reported to
> them so that the supplier of the software has time to put it right.
>
> why do you think m$ releases can be so precisely scheduled? -- because
> the cert people have embargoed their information. once the patches
> have propagated, cert will release the information.
Oops, looks like I misinterpreted their meaning. But it wasn't
too far-fetched a misinterpretation given their choice of vocabulary
and grammar (especially on the internet, routinely peppered with more
gratuitous obnoxiousness than one might hope for).
>> As for mathtex.c, I've fixed the explicit vulnerability that was
>> pointed out. But anyone using it should realize it's essentially
>> a script written in C that just runs latex and friends. So it's
>> going to remain as exploitable as all the similar script cgi's
>> that are out there. I'm not sure there's much I can do about that.
>>
>> So far (knock on wood), however, I haven't received any emails
>> from people who think their systems have been hacked into
>> through either mimetex or mathtex. Though more people use these
>> programs than I'd have originally guessed, it's still a vanishingly
>> small user base in web terms. And I'd guess that seriously
>> dangerous hackers/crackers might focus their efforts on jucier
>> targets.
>
> any website that's capable of doing anything other than just serving
> pages is a worthy target of attack by the slime who do these things.
> (and sometimes they even have an agenda related to nothing more than
> the pages that are served.)
Okay, well, I've put current corrected copies of mimetex.zip and
mathtex.zip on ftp.tex.ac.uk/incoming, along with the requisite
emails to ctan.dante.de. Sorry for the extra work. (P.S. You're
welcome for the upload.:) And, to the extent that security remains
an ongoing issue, perhaps users of either program should be advised
that, while I am an experienced C programmer, I'm no security expert.
And that leads to the open question of how much of one's time
should be spent trying to do good things, versus trying to stop
other people from doing bad things. (I'm not liking today's answer
to that question, which perhaps partly explains my initial bad
reaction to ocert's email.)
Par
> And that leads to the open question of how much of one's time
> should be spent trying to do good things, versus trying to stop
> other people from doing bad things. (I'm not liking today's answer
> to that question, which perhaps partly explains my initial bad
> reaction to ocert's email.)
It is really a matter of *whose* time is spent. If no security measures
are taken someone else will -- inevitably -- have to clean up the mess
when some script kiddie had fun. No, I don't like it either, but then I
would also like to live in a world where I did not need to lock my car
either.
/Par
--
Par use...@hunter-gatherer.org
"First they came for the verbs, and I said nothing because verbing
weirds language. Then they arrival for the nouns, and I speech nothing
because I no verbs." -- Peter Ellis on afp