Format string vulnerabilities (and more) in multiple safe curses wrapper crates. #106
Comments
|
Thanks for reporting these @thomcc. We generally have format injection in-scope, and some of these sound potentially exploitable. It seems like the ones with issues already reported upstream like ihalila/pancurses#66 and jeaye/ncurses-rs#172 already potentially warrant advisories. For the others, I'd suggest reporting them upstream first as well, and then we can decide on a case-by-case basis which of them also deserve advisories (buffer overflows seem like an obvious yes, whereas the "memory unsafety" of incorrectly encoded Strings seems a little more questionable as to whether it's a practical security issue). |
|
Fine. I filed issues for the two new ones (IMO jeaye/ncurses-rs#172 is still arguably unresolved since the function is still present and usable in safe rust, but maybe the pings from this activity will fix that). I also noticed that
I'd... certainly hope you consider them in scope. Format string vulnerabilities (speficially the kind for
Yeah, that's why I mentioned that I wasn't exactly sure if someone could exploit that. (Since it's |
|
Wow, this does look serious. Thanks for bringing it up! |
|
The only way to handle this correctly is expose these functions as Deprecation is definitely insufficient because it's not transitive, and more importantly, people do not expect this to mean "using this may cause memory errors". That's exactly what |
|
The issues in ncurses-rs have been closed as the author does not believe that it matters that these APIs are fundamentally broken. Filed advisories. |
|
Those issues are merged and have been assigned @thomcc I think we can close this issue now? |
|
SGTM |
|
Can someone point me to the reproducer program ? I would like to try it out |
|
@rhmcruiser reproducer can be found here: ihalila/pancurses#54 |
|
@kpcyrd thanks |
|
Often format string vulnerabilities are exploited by using the (non-standard, but common) %n format specifier, which allows writing into the callers stack. |
I've noticed potentially exploitable security vulnerabilities in the following crates[0], which can be triggered by users of these libraries without writing unsafe code.
I'm filing an issue rather than a PR since I don't know that I have time to see this through to it's conclusion, especially since multiple crates and several functions are involved. The FAQ indicates that this is okay.
pancursesThe crate https://crates.io/crates/pancurses exposes the functions
Window::printwandWindow::mvprintwas safe functions (I think this is all of them, but could be wrong), despite these passing an arbitrary ruststrto into C code which expects to receive a printf-style format string. This can lead to a format string vulnerability.I filed ihalila/pancurses#66 about this, shortly before filing this issue.
ncursesThe crate https://crates.io/crates/ncurses exposes the functions
printw,mvprintw, andmvwprintwas safe functions, which have the same issues described above.In jeaye/ncurses-rs#172 I raised this issue about
printw(but missed that it wasn't justprintw), which lead to that functions deprecation[1]. When writing this issue for the advisory-db, I noticed the existence of the other two functions. I don't see any other functions accepting format strings (thescanwfunctions, mercifully, are not exposed).Additionally, while filing this bug, I noticed the following additional vulnerabilities or memory safety issues (I haven't filed issues in the
ncursescrate's repository about these):instris exposed, which has a buffer overflow (the cursesinstrfunction is somewhat similar to thegetsfunction from the C stdlib, in that writes as much text that it wants into a lengthless buffer pointer).mvwinstrhas the same problem, just not as directly.Several functions (1, 2, 3) write data from the terminal directly into a String's underlying buffer, when the data may not be valid UTF-8. I don't know if this can be exploited, but it's a memory safety issue nonetheless. Hopefully the members of this repository have some intuition as to the exploitability of this sort of problem.
I have not done a very thorough look, these are just the most obvious problems to me. Ideally, someone more familiar with the curses library's API would look further.
[0]: For total clarity, I didn't look at any others. It seems plausible to me that other Rust curses libs have similar mistakes, since it's a very hard API to use safely. That said, I think these are the most popular ones (not that that makes things any better).
[1]: I don't really feel that deprecation is sufficient, as the function is still present (and not
unsafe). Transitive dependency deprecations aren't reported, so rust code consuming this crate transitively could still be at risk. However, if the members of this repository disagree, then one fewer of thencursescrates functions are problematic in the current release.The text was updated successfully, but these errors were encountered: