Strange advisory

Server NGINX
1

I just saw something strange on
http://nginx.org/en/security_advisories.html
:
“An error log data are not sanitized
Severity: none
CVE-2009-4487
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4487
Not vulnerable: none
Vulnerable: all”

Severity is labelled as ‘None’, though the CVE talks, among other stuff,
about ‘arbitrary commands and file write’.
Is your advisories page wrong? Is the CVE wrong? Has this been solved?

B. R.

2

Hello,

This has not been fixed in current nginx releases, this is not
directly related to nginx either, the problem is outdated terminal
emulators would parse the potentially malicious commands in the log
file. This answer security - How to avoid escape sequence attacks in terminals? - Unix & Linux Stack Exchange explains it
better.

Regards,
Kurt C.

3

Hi!

Severity is labelled as ‘None’, though the CVE talks, among other stuff,
about ‘arbitrary commands and file write’.
Is your advisories page wrong? Is the CVE wrong? Has this been solved?

Afaik the nginx developers didn’t agree with this CVE advisory, because
its
actually a terminal problem. Nginx cannot be exploited, but the user
when
looking at the log files can.

Read the advisory for details [1].

Regards,

Lukas

[1] http://www.ush.it/team/ush/hack_httpd_escape/adv.txt

4

I read the StackOverflow thread and it seems there are 2 teams
ping-ponging
the problem:

  • One says that it is a terminal problem and that control and escape
    sequences should not be executed
  • The other says that those features are userful and say that log files
    are
    supposed to be text-only, thus readable safely in a terminal (no control
    character should be there)

The advisory stands from the second point of view, which I tend to agree
with. If logs cannot be trusted, which are supposed to be filled wikth
text, then everything around monitoring (reading, parsing, copying)
becomes
a nightmare.

What is the benefit of having those unescaped control characters in a
log
file? Escaping them allows you to warn about their presence safely…
and
that is directly exploitable by anything, once again safely.

B. R.

5

On Sunday 11 May 2014 06:25:53 B.R. wrote:
[…]

What is the benefit of having those unescaped control characters in a log
file? Escaping them allows you to warn about their presence safely… and
that is directly exploitable by anything, once again safely.

The benefit is that you can easily find in error/debug log exactly what
a client has sent with binary precision, and therefore better diagnose
a problem. And this actually is the main purpose of error log (normally
it’s just empty).

wbr, Valentin V. Bartenev

6

Thanks to both of you for precisions about your point of view.

Having thought more about it, it seems indeed strane to interpret log
file content to execute script snippet in order to change window title
or
alike, following the link Kurt provided.
It seems that old-fahion habits have taken advantage of
backward-compatible
features in modern emulated terminals.

Switching to the fa that emulator vendors should correct this, who to
contact for it? I suppose it has nothing to do with the kernel, but
rather
with multiple GNU libraries around it.

B. R.

7

“One man’s data is another man’s code”

If this would happen on Windows you’d scream murder, yet in 2014 you are
advocating an insecure workspace by allowing foreign control stuff to do
out
of bound stuff.

Anything and anyone can create a file which contains stuff, it is the
responsibility of whatever views/reads it for what happens not the
initial
creator.

Posted at Nginx Forum: