Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <507F09FC.1090408@redhat.com>
Date: Wed, 17 Oct 2012 13:41:48 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Simon McVittie <smcv@...ian.org>
Subject: Re: CVE request: ruby file creation due in insertion
 of illegal NUL character

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/17/2012 12:14 PM, Simon McVittie wrote:
> On 17/10/12 18:03, Kurt Seifried wrote:
>> Avtually looking at that page it appears that no modern file 
>> systems allows NUL in a file name (and in general I suspect it's
>> a bad idea/leads to some nasty edge case issues).
> 
> Anything that, directly or indirectly, uses Unix-style APIs to
> access files can't possibly support NUL in a filename anyway, since
> those APIs receive the filename as a NUL-terminated string.
> 
>> Personally I think the perlopentut case makes sense, using NUL
>> as an end of string marker. What happens if stuff comes after it 
>> though?
> 
> For Perl, one possibility would be to continue to treat an input
> of "foo\0" as equivalent to "foo" (so that you can use "./ foo \0"
> to mean " foo ", as documented), but disallow NULs anywhere except
> the last position.
> 
> S
> 

Wow so this goes back a ways:

http://insecure.org/news/P55-07.txt

- -------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 07 of
19  ]

- ----------------[  The Beef

- ----[  Poison NULL byte

Note:  The name `Poison NULL byte` was originally used by Olaf Kirch
in a Bugtraq post. I liked it, and it fit...  So I used.  Greetings to
Olaf.

When does "root" != "root", but at the same time, "root" == "root"
(Confused yet)?  When you co-mingle programming languages.

One night I got to wondering, exactly what would Perl allow, and could
I get anything to blow up in unexpected ways.  So I started piping
very weird data out to various system calls and functions.  Nothing
spectacular, except for one that was quite notable...

You see, I wanted to open a particular file, "rfp.db".  I used a fake
web scenario to get an incoming value "rfp", tacked on a ".db", and
then opened the file.  In Perl, the functional part of the script was
something like:

	# parse $user_input
	$database="$user_input.db";
	open(FILE "<$database");

Great.  I pass 'user_input=rfp', and the script tries to open "rfp.db".
Pretty simple (let's ignore the obvious /../ stuff right now).

Then it got interesting when I passed 'user_input=rfp%00'.  Perl made
$database="rfp\0.db", and then tried to open $database.  The results?
 It  opened "rfp" (or would have, had it existed).  What happened to
the ".db"?   This is the interesting part.

You see, Perl allows NUL characters in its variables as data.  Unlike C,
NUL is not a string delimiter.  So, "root" != "root\0".  But, the
underlying system/kernel calls are programmed in C, which DOES
recognize NUL as a delimiter.  So the end result?  Perl passes
"rfp\0.db", but the underlying libs stop processing when they hit the
first (our) NUL.

......... and so on.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQfwn8AAoJEBYNRVNeJnmTQWEP/2gqNZrmNM17B9OnCHwIsBo2
+DfRtHYN6crwxtZUOPR6Ofbfxj+q9bCQUoOt2CMlKHx/aKZlMMSM+Hm/oYS23pIa
lVuBinVTM3Vh8RiFvNctGdieoqtPnMKkqag3+Aq8dXn+VOLHHZhw0d0IiK7skE+L
FVZJak+ly5KXfWu1THyCxQvstduY37lSlqGIeB7MLXUdyUqKSt+MEbMwxwayPFJV
J2kfJFIyf+ehV1/+XwQBZk6lbuPduJSWiqluyg3RIZzEJOjzd/5KC+JUtAlCwFeZ
TjRxCGUuiNIUaOcYrDkJ5HOxGY0uKLpgEHQ+VUmWvI0CpE5xx798AxraowkG2AHp
T7E0J2pavt35uaCGb2TzimqpaCsmscPDKZiLkYpPsCZCxutRdCkKXJxd6Hu9x7kc
VajhN2ESgs4kwzVDSM0FsMUChAuSySLcUTvi/ydCYj4WFsPCN8OSaccw/6ep8Wiz
TJ8x7TnUvqilWog1dqwMAw9a+UbHT7W1fa62eqRmni6Woz41/pdDmIfMEAWqCnnF
gIKZSBggfMruLQhAScOAGcZYo8PNA1oK4ofKP49j7uGCpmaDIKG344KuRGnrT7bj
2N3gPEOBFE7s4y9C6cyqyR2zZMr3Jmw/QZBI8TjjHF0+H+qNdjZOQkzdRc5CFhzc
LOJn9jfw/W5Gk9N0D5bb
=b9SL
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.