11281 – FW: [FG-VD-18-127] Busybox Command Injection Vulnerability Notification

Bug 11281 - FW: [FG-VD-18-127] Busybox Command Injection Vulnerability Notification

Summary: FW: [FG-VD-18-127] Busybox Command Injection Vulnerability Notification

Status:	RESOLVED FIXED

Alias:	None

Product:	Busybox
Classification:	Unclassified
Component:	Standard Compliance (show other bugs)
Version:	unspecified
Hardware:	All Linux

Importance:	P1 critical
Target Milestone:	---
Assignee:	unassigned

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-09-05 21:22 UTC by z.yang
Modified:	2018-09-24 17:09 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:

Attachments
PoC, encrypted with Denys’ public key (15.68 KB, application/x-zip-compressed) 2018-09-05 21:23 UTC, z.yang	Details
PoC, encrypted with Denys’ public key (70.00 KB, application/octet-stream) 2018-09-05 21:24 UTC, z.yang	Details
PoC, encrypted with Denys’ public key (70.00 KB, application/octet-stream) 2018-09-05 21:24 UTC, z.yang	Details
PoC, encrypted with Denys’ public key (70.00 KB, application/octet-stream) 2018-09-05 21:24 UTC, z.yang	Details
PoC, encrypted with Denys’ public key (70.00 KB, application/octet-stream) 2018-09-05 21:24 UTC, z.yang	Details
Report (1.93 KB, text/plain) 2018-09-22 00:17 UTC, z.yang	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description z.yang 2018-09-05 21:22:25 UTC

Hi,

I am forwarding this finding because the vulnerability seems exists in the busybox. I’d like to confirm if it is a known issue.

I have tested it with busybox 1.28.1 (this is the latest binary I can find from https://busybox.net/downloads/binaries/) and executed the PoC in a simplest Linux at https://bellard.org/jslinux/vm.html?url=https://bellard.org/jslinux/buildroot-x86.cfg (From https://bellard.org/jslinux/index.html).

The details are encrypted with Denys’ public key (https://busybox.net/~vda/vda_pubkey.gpg).

I've emailed to busybox@busybox.net, but no respond. So I created this bug.


Thanks for your time,
Zhouyuan

Comment 1 z.yang 2018-09-05 21:23:39 UTC

Created attachment 7711 [details]
PoC, encrypted with Denys’ public key

Comment 2 z.yang 2018-09-05 21:24:05 UTC

Created attachment 7716 [details]
PoC, encrypted with Denys’ public key

Comment 3 z.yang 2018-09-05 21:24:27 UTC

Created attachment 7721 [details]
PoC, encrypted with Denys’ public key

Comment 4 z.yang 2018-09-05 21:24:38 UTC

Created attachment 7726 [details]
PoC, encrypted with Denys’ public key

Comment 5 z.yang 2018-09-05 21:24:47 UTC

Created attachment 7731 [details]
PoC, encrypted with Denys’ public key

Comment 6 z.yang 2018-09-21 21:52:59 UTC

Hi, Any news? I just change the component and importance.

Comment 7 z.yang 2018-09-21 23:45:55 UTC

Tested with 1.29.3 on TinyCore Linux, PoC works.

Comment 8 z.yang 2018-09-22 00:17:01 UTC

Created attachment 7786 [details]
Report

Comment 9 Denys Vlasenko 2018-09-24 12:38:44 UTC

Already fixed by this commit:

commit c3797d40a1c57352192c6106cc0f435e7d9c11e8
Author: Denys Vlasenko <vda.linux@googlemail.com>
Date:   Tue Nov 7 18:09:29 2017 +0100
        
    lineedit: do not tab-complete any strings which have control characters

Comment 10 z.yang 2018-09-24 17:09:10 UTC

Thanks for the confirmation.