Bug 15001 (CVE-2022-28391)

Summary: netstat is vulnerable to escape sequence injection (busybox)
Product: Busybox Reporter: John Helmert III <ajak>
Component: OtherAssignee: unassigned
Status: NEW ---    
Severity: normal CC: alex.kanavin, busybox-cvs
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
Host: Target:
Build:
Attachments: patch 1/2
patch 2/2

Description John Helmert III 2022-09-19 15:41:51 UTC 
I'm relaying this from Alpine's bug tracker as it seems nobody ever reported this upstream,

"Hey there,
Alpine ships BusyBox with the netstat applet enabled. This is vulnerable to escape sequence injection when used from an VT compatible terminal. To exploit this vulnerability the PTR for a remote host must contain a escape sequence and the victim has to execute netstat. I've set up an example at [elided] with the PTR resolving to \027[33\;46mlocalhost.

$ dig -x [elided] @8.8.8.8

; <<>> DiG 9.16.25 <<>> -x [elided] @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59625
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;[elided]. IN PTR

;; ANSWER SECTION:
[elided]. 1 IN PTR \027[33\;46mlocalhost.

;; Query time: 55 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 03 00:11:16 DST 2022
;; MSG SIZE  rcvd: 132

If you try to ssh [elided] and run netstat -t while trying to establish the connection from a different terminal, the second terminal will change the background and font color. Other escape sequences may lead to code execution."

Alpine carries some patches but Ariadne says they're incorrect:

https://bugs.gentoo.org/836920
Comment 1 Aldo Vargas 2023-11-09 16:59:29 UTC 
CVE-2022-28391 is still shown as 'Fix not available' per different scanners for Busybox, is this something that will be fixed soon?
Comment 2 Alexander Kanavin 2024-02-29 10:19:11 UTC 
Created attachment 9718 [details]
patch 1/2
Comment 3 Alexander Kanavin 2024-02-29 10:19:34 UTC 
Created attachment 9721 [details]
patch 2/2
Comment 4 Alexander Kanavin 2024-02-29 10:20:47 UTC 
I have attached the two patches originating from Alpine and rebased on current busybox master. I'm not sure if they're correct, so reluctant to submit them formally. Please consider and adjust as needed.