Saturday, February 18, 2012

CVE-2010-3076 and smbind

This is just another issue I verified for Maverick - I did not write the patch/debdiff for the same. There does seem to be a upstream patch(debian lenny) for the same, so probably it'll be a fake sync rather than a patch in Ubuntu.

I just had a look at the highlighted packages for the week here and decided to look at the web frontend for BIND. You can view the CVE details here.



apt-get source the application, lets have a look at the "filter function in php/src/include.php".

 22 if(isset($_POST['username']) && isset($_POST['password'])) {
 23         if((!filter("alphanum", $_POST['username'])) or (!filter("alphanum", $_POST['password']))) {
 24                 die("Username and password must contain only letters and numbers.");
 25         }
 26         $_SESSION['username'] = $_POST['username'];
 27         $_SESSION['password'] = $_POST['password'];
 28 }
 29 
 30 if(isset($_SESSION['username']) && isset($_SESSION['password'])) {
 31         $res = $dbconnect->query("SELECT ID FROM users " .
 32                                 "WHERE username = '" . $_SESSION['username'] .
 33                                 "' AND password = '" . md5($_SESSION['password']) . "'"
 34                                 );

Aand the filter function is as follows :-

 95 function filter($type, $str, $empty = "yes") {
 96         $regex['num'] = "([0-9])";
 97         $regex['alphanum'] = "([A-Za-z0-9])";
 98         if(ereg($regex[$type], $str)) {
 99                 return true;
100         }
101         elseif(empty($str)) {
102                 if($empty == "yes") {
103                         return true;
104                 }
105                 elseif($empty == "no") {
106                         return false;
107                 }
108         }
109         else {
110                 return false;
111         }
112 }

Php isn't a favorite, so I just try using the php interpreter prompt.

$ php -a
Interactive shell
php > if(ereg("([A-Za-z0-9])", "ASDF123")) { echo "test"; }
test
php > if(ereg("([A-Za-z0-9])", "!@#$")) { echo "test"; }
php > if(ereg("([A-Za-z0-9])", "ASDF!@#$")) { echo "test"; }
test

The upstream(debian lenny) patch for the same is to use mysql_real_escape_string/pg_escape_string.

++ if ($dbtype == "mysql")
++ $_SESSION['username'] = mysql_real_escape_string($_POST['username']);
++ else
++ $_SESSION['username'] = pg_escape_string($_POST['username']);

No comments:

Post a Comment