[poppler] pdftohtml lets you run random shell commands

Albert Astals Cid aacid at kde.org
Thu Apr 19 02:48:43 PDT 2012 

--- El jue, 19/4/12, Ihar `Philips` Filipau escribió:

> On 4/19/12, Albert Astals Cid <aacid at kde.org>
> wrote:
> > You can do
> >  pdftohtml -c -dev 'jpeg /dev/null;cat
> /etc/passwd;#' /path/to/some/pdf/fil
> > and voila, you'll get your /etc/passwd printed on
> screen
> >
> > Definitely not nice.
> >
> > This is because we are using plain system() to run the
> gs command and it's
> > easy to inject stuff there
> >
> 
> My 0.02€
> 
> So what? User already can print /etc/passwd.

Now convert that in a rm -rf *

And now realize the pdftohtml can be called from a webservice.

Does it sound more critical to you now? It does for me

Albert

> 
> The problem of system() call is only relevant when the
> command is
> installed suid-root(*). And pretty much all systems install
> only
> required minimum of commands as suid-root. ((*) Or user
> convinces
> admin to run something as root in his own terminal - but you
> can't
> really do anything against idiot admins.)
> 
> > The real solution is moving to a fork+exec solution
> (path attached).
> 
> You use execvp() - that doesn't improve anything: the 'p'
> letter in
> execvp() stands for "path resolution", meaning that user can
> still add
> its own wrapper for "gs" command, adjust the $PATH and
> circumvent
> whatever you intended to prevent with the patch.
> 
> IOW, the exec*p*() functions are as insecure as the system()
> - unless
> of course you use absolute path for "gs" (what I gather
> would cause
> troubles for portability).
> 
> Simpler /fix/ would be to make the programs not runnable by
> root -
> `geteuid() != 0`. That would also cover the case of idiot
> admins. :)
> 
> Otherwise, in the patch, if one would replace the kinky
> va_list stuff
> with a GooList() of `char *` (iow, pack the command line
> onto the list
> (and add an accessor for the GooList::data)) the change
> would easily
> come off as a clean up. ;)
> 
> > The problem with that is that we loose support for
> platforms with system()
> > and without fork+exec (Windows).
> 
> The problem doesn't exist on Windows, since it doesn't have
> anything
> like suid. It's either user or Administrator(**). And if
> user can run
> a program as an administrator, then all bets are off. (The
> same case
> as an idiot *nix admin.)
> 
> (**) Win Vista/7 have something similar, but UAC would bark
> at it. So
> it doesn't change the parity.
> _______________________________________________
> poppler mailing list
> poppler at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/poppler
>

More information about the poppler mailing list