[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Advisory X41-2017-010: Command Execution in Shadowsocks-libev
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2017-10-27 16:09:53
Message-ID: 20171027160953.vriub4ox5ztmyzkj () eldamar ! local
[Download RAW message or body]

Hi

On Fri, Oct 13, 2017 at 06:44:21PM +0200, X41 D-Sec GmbH Advisories wrote:
> 
> X41 D-Sec GmbH Security Advisory: X41-2017-010
> 
> Command Execution in Shadowsocks-libev
> ======================================
> 
> Overview
> --------
> Severity Rating: High
> Confirmed Affected Versions: 3.1.0
> Confirmed Patched Versions: N/A
> Vendor: Shadowsocks
> Vendor URL: https://github.com/shadowsocks/shadowsocks-libev
> Vector: Local
> Credit: X41 D-Sec GmbH, Niklas Abel
> Status: Public
> CVE: not yet assigned
> Advisory-URL:
> https://www.x41-dsec.de/lab/advisories/x41-2017-010-shadowsocks-libev/
> 
> 
> Summary and Impact
> ------------------
> Shadowsocks-libev offers local command execution per configuration file
> or/and additionally, code execution per UDP request on 127.0.0.1.
> 
> The configuration file on the file system or the JSON configuration
> received via UDP request is parsed and the arguments are passed to the
> "add_server" function.
> The function calls "construct_command_line(manager, server);" which
> returns a string from the parsed configuration.
> The string gets executed at line 486 "if (system(cmd) == -1) {", so if a
> configuration parameter contains "||evil command&&" within the "method"
> parameter, the evil command will get executed.
> 
> The ss-manager uses UDP port 8830 to get control commands on 127.0.0.1.
> By default no authentication is required, although a password can be set
> with the '-k' parameter.

CVE-2017-15924 has been assigned for this issue.

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]