gsch2pcb `gnetlist-arg' in project file can lead to arbitrary code execution.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gEDA |
Fix Released
|
High
|
Peter TB Brett | ||
geda-gaf (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
affects geda
tag gsch2pcb
security yes
done
The `--gnetlist-arg' option to gsch2pcb is used to pass arbitrary
arguments to gnetlist. This option can also be provided in a project
file.
This option can allow arbitrary code execution via a maliciously crafted
project file and/or schematics, by several possible vectors.
The most blatant is direct Scheme code execution:
gnetlist-arg "-c (display 'EVIL) (newline)"
Of middling deviousness is execution of Scheme programs disguised as
schematics:
gnetlist-arg -minnocuous.sch
gnetlist-arg -lharmless.sch
Most subtle is manipulation of the Scheme load path via the -L option:
gnetlist-arg -L.
If a file called `gnetlist' is placed in the same directory as
`evil.project' (easily confused with `gnetlistrc' by the hapless user),
it will be loaded in preference to `gnetlist.scm' installed with gEDA
and always loaded during gnetlist initialisation.
These attacks can all be easily reproduced.
Because gsch2pcb project files are usually considered in the minds of
users to be datafiles, this option (which would be fine if present in a
Makefile or some other file normally considered as an executed file) is
a security risk.
Recommended fix: `--gnetlist-arg' option should be disallowed in
gsch2pcb project files. The only "legitimate" gnetlist command-line
option it enables is `-O' (for passing backend options), and none of the
backends used by gsch2pcb currently take any options.
Related branches
visibility: | private → public |
tags: | added: patch |
Changed in geda: | |
status: | Fix Committed → Fix Released |
> Most subtle is manipulation of the Scheme load path via the -L option:
>
> gnetlist-arg -L.
>
> If a file called `gnetlist' is placed in the same directory as
> `evil.project' (easily confused with `gnetlistrc' by the hapless user),
> it will be loaded in preference to `gnetlist.scm' installed with gEDA
> and always loaded during gnetlist initialisation.
This doesn't actually work exactly as described here, because gnetlist
tries to load a file called `gnetlist.scm' explicitly. A possible
attack is instead to use `-L' to replace a Scheme file loaded via
`(use-module)', e.g. part of the standard Scheme library.
I attach a proof-of-concept exploit for each attack detailed in this
bug. To reproduce, `cd' to the appropriate directory and run:
gsch2pcb evil.project
Note that "Arbitrary code" is printed to gsch2pcb output.