Bug #299

CVE-2017-17517

Added by Hideki Yamane 4 months ago. Updated 4 months ago.

Status:NewStart date:03/21/2018
Priority:HighDue date:
Assignee:-% Done:

0%

Category:SecuritySpent time:-
Target version:-

Description

Hi,

I've found CVE was assigned to Sylhpeed at https://security-tracker.debian.org/tracker/CVE-2017-17517

libsylph/utils.c in Sylpheed through 3.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.

Perhaps around https://sources.debian.org/src/sylpheed/3.7.0-3/libsylph/utils.c/#L4327 or so.

History

#1 Updated by Hiroyuki Yamamoto 4 months ago

Hello,

Hideki Yamane wrote:

I've found CVE was assigned to Sylhpeed at https://security-tracker.debian.org/tracker/CVE-2017-17517

libsylph/utils.c in Sylpheed through 3.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.

Perhaps around https://sources.debian.org/src/sylpheed/3.7.0-3/libsylph/utils.c/#L4327 or so.

I'm currently investigating this security advisory.
Currently I think Sylpheed is not vulnerable (unless you intentionally specify a badly implemented command).

Tested with the following examples but no success:

Command:
a) xdg-open '%s' (stock Sylpheed's DEFAULT_BROWSER_CMD)
b) sensible-browser '%s' (Debian-patched Sylpheed's DEFAULT_BROWSER_CMD)

BROWSER=firefox
BROWSER=epiphany
BROWSER=w3m

http://localhost/;ls
http://localhost/';ls%20'/
<a href='http://localhost/";ls'>Link</a>
<a href='http://localhost/";ls /'>Link</a>
<a href='http://localhost/"; ls /'>Link</a>
<a href='http://localhost/" ;ls /'>Link</a>
<a href='http://localhost/ &ls /'>Link</a>

URL strings are passed to the commands as-is, and arguments other than the first one are discarded.
Could you provide some exploits examples? (private e-mail is preferred, if any)

Also available in: Atom PDF