Bug 11281

Summary: FW: [FG-VD-18-127] Busybox Command Injection Vulnerability Notification
Product: Busybox Reporter: z.yang
Component: Standard ComplianceAssignee: unassigned
Status: RESOLVED FIXED    
Severity: critical CC: busybox-cvs
Priority: P1    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:
Attachments: PoC, encrypted with Denys’ public key
PoC, encrypted with Denys’ public key
PoC, encrypted with Denys’ public key
PoC, encrypted with Denys’ public key
PoC, encrypted with Denys’ public key
Report

Description z.yang 2018-09-05 21:22:25 UTC 
Hi,

I am forwarding this finding because the vulnerability seems exists in the busybox. I’d like to confirm if it is a known issue.

I have tested it with busybox 1.28.1 (this is the latest binary I can find from https://busybox.net/downloads/binaries/) and executed the PoC in a simplest Linux at https://bellard.org/jslinux/vm.html?url=https://bellard.org/jslinux/buildroot-x86.cfg (From https://bellard.org/jslinux/index.html).

The details are encrypted with Denys’ public key (https://busybox.net/~vda/vda_pubkey.gpg).

I've emailed to busybox@busybox.net, but no respond. So I created this bug.


Thanks for your time,
Zhouyuan
Comment 1 z.yang 2018-09-05 21:23:39 UTC 
Created attachment 7711 [details]
PoC, encrypted with Denys’ public key
Comment 2 z.yang 2018-09-05 21:24:05 UTC 
Created attachment 7716 [details]
PoC, encrypted with Denys’ public key
Comment 3 z.yang 2018-09-05 21:24:27 UTC 
Created attachment 7721 [details]
PoC, encrypted with Denys’ public key
Comment 4 z.yang 2018-09-05 21:24:38 UTC 
Created attachment 7726 [details]
PoC, encrypted with Denys’ public key
Comment 5 z.yang 2018-09-05 21:24:47 UTC 
Created attachment 7731 [details]
PoC, encrypted with Denys’ public key
Comment 6 z.yang 2018-09-21 21:52:59 UTC 
Hi, Any news? I just change the component and importance.
Comment 7 z.yang 2018-09-21 23:45:55 UTC 
Tested with 1.29.3 on TinyCore Linux, PoC works.
Comment 8 z.yang 2018-09-22 00:17:01 UTC 
Created attachment 7786 [details]
Report
Comment 9 Denys Vlasenko 2018-09-24 12:38:44 UTC 
Already fixed by this commit:

commit c3797d40a1c57352192c6106cc0f435e7d9c11e8
Author: Denys Vlasenko <vda.linux@googlemail.com>
Date:   Tue Nov 7 18:09:29 2017 +0100
        
    lineedit: do not tab-complete any strings which have control characters
Comment 10 z.yang 2018-09-24 17:09:10 UTC 
Thanks for the confirmation.