Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <8760d9nd9y.fsf@frougon.crabdance.com>
Date: Sun, 27 Aug 2017 19:14:49 +0200
From: Florent Rougon <f.rougon@...e.fr>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-13709: Incorrect access control in FlightGear

Hi,

Please find below the info for CVE-2017-13709. I'm also attaching a
patch combining the security fix applied to FlightGear's 'next'
branch[1] with its parent commit[2], because [1] requires [2] to work
properly.

However, I don't expect the combined patch nor [2] to apply cleanly to
FlightGear 2017.2 or earlier, because commit [3] introduced changes in
the close vicinity of the changes in [2] (two conflicts). If you need to
adapt [2] for such releases, just put the fgInitAllowedPaths() call
after the one to Options::processOptions() in src/Main/fg_init.cxx[4] and
src/Main/main.cxx[5], and you should be good.

I will probably backport the needed changes to a few of the last
releases in the next days: see the FlightGear release branches at [6].

[1] https://sourceforge.net/p/flightgear/flightgear/ci/2a5e3d06b2c0d9f831063afe7e7260bca456d679/
[2] https://sourceforge.net/p/flightgear/flightgear/ci/c7a2aef59979af3e9ff22daabb37bdaadb91cd75/
[3] https://sourceforge.net/p/flightgear/flightgear/ci/b2cc191bc665d13f50360e5508234e653669a372/
[4] https://sourceforge.net/p/flightgear/flightgear/ci/next/tree/src/Main/fg_init.cxx#l1147
[5] https://sourceforge.net/p/flightgear/flightgear/ci/next/tree/src/Main/main.cxx#l543
[6] https://sourceforge.net/p/flightgear/flightgear/ref/next/branches/

Now here is the info for CVE-2017-13709:

[Suggested description]
In FlightGear before version 2017.3.1, Main/logger.cxx in the FGLogger
subsystem allows one to overwrite any file via a resource that affects
the contents of the global Property Tree.

------------------------------------------

[Additional Information]
In FlightGear before version 2017.3.1, the FGLogger subsystem allows
one to overwrite any file the user has write access to (with enough
control over the contents to run arbitrary commands if the target file
is then executed). A resource such as a malicious third-party aircraft
or add-on could exploit this to damage files belonging to the user.

The security fix
(https://sourceforge.net/p/flightgear/flightgear/ci/2a5e3d06b2c0d9f831063afe7e7260bca456d679/)
requires its parent commit
(https://sourceforge.net/p/flightgear/flightgear/ci/c7a2aef59979af3e9ff22daabb37bdaadb91cd75/)
to work correctly.

We are not aware of any malicious resource exploiting the problem.

The fix will be in FlightGear 2017.3.1 (expected in a few days).

------------------------------------------

[Vulnerability Type]
Incorrect Access Control

------------------------------------------

[Vendor of Product]
FlightGear (http://flightgear.org/)

------------------------------------------

[Affected Product Code Base]
FlightGear - Affected: releases earlier than 2017.3.1 (at least since
version 2.0.0).

------------------------------------------

[Affected Component]
source file: src/Main/logger.cxx in the FlightGear repository
(https://sourceforge.net/p/flightgear/flightgear/ci/next/tree/src/Main/logger.cxx)
executable: fgfs

------------------------------------------

[Attack Type]
Local

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[CVE Impact Other]
Allows one to overwrite any file the user has write access to, and to
control a significant part of the written contents. This leads to code
execution using .bashrc and such.

------------------------------------------

[Attack Vectors]
Trick users into installing a resource that enables logging to a
chosen file, via properties /logging/log/... For instance, a malicious
third-party aircraft or add-on could do that (add-ons loaded via 'fgfs
--addon=...').

------------------------------------------

[Reference]
https://sourceforge.net/p/flightgear/flightgear/ci/2a5e3d06b2c0d9f831063afe7e7260bca456d679/
https://sourceforge.net/p/flightgear/flightgear/ci/c7a2aef59979af3e9ff22daabb37bdaadb91cd75/

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------

[Discoverer]
wkitty42

-- 
Florent

View attachment "combined-patch-for-CVE-2017-13709.patch" of type "text/x-diff" (5459 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (833 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.