aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNagalakshmi Veeramallu <nveeramallu@mvista.com>2018-06-29 15:38:25 +0530
committerArmin Kuster <akuster808@gmail.com>2018-07-03 15:35:25 -0700
commite5cdb6bcb6c17ad72d7a406ad5adc75aef0c2790 (patch)
tree6f16659f6dc93eaa1fd1587f761cc5c186339f07
parent3d863f72641f930e10ed1b6211d66b2c3d04d306 (diff)
downloadmeta-security-morty.tar.gz
meta-security-morty.tar.bz2
meta-security-morty.zip
CVE-2018-11652 nikto: arbitray OS command injection via http server field.morty
CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report. Signed-off-by: Nagalakshmi Veeramallu <nveeramallu@mvista.com> Reviewed-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r--recipes-security/nikto/files/CVE-2018-11652.patch106
-rw-r--r--recipes-security/nikto/nikto_2.1.5.bb3
2 files changed, 108 insertions, 1 deletions
diff --git a/recipes-security/nikto/files/CVE-2018-11652.patch b/recipes-security/nikto/files/CVE-2018-11652.patch
new file mode 100644
index 0000000..5ddb169
--- /dev/null
+++ b/recipes-security/nikto/files/CVE-2018-11652.patch
@@ -0,0 +1,106 @@
+From e759b3300aace5314fe3d30800c8bd83c81c29f7 Mon Sep 17 00:00:00 2001
+From: sullo <sullo@cirt.net>
+Date: Thu, 31 May 2018 23:30:03 -0400
+Subject: [PATCH] Fix CSV injection issue if server responds with a malicious
+ Server string & CSV output is opened in Excel or other spreadsheet app.
+ Potentially malicious cell start characters are now prefaced with a ' mark.
+ Thanks to Adam (@bytesoverbombs) for letting me know!
+
+Also fixed a crash in the outdated plugin if the $sepr field ends up being something that triggers a panic in split().
+
+CVE: CVE-2018-11652
+Upstream-Status: Backport
+Signed-off-by: Nagalakshmi Veeramallu <nveeramallu@mvista.com>
+---
+ plugins/nikto_outdated.plugin | 2 +-
+ plugins/nikto_report_csv.plugin | 42 +++++++++++++++++++++++++++++------------
+ 2 files changed, 31 insertions(+), 13 deletions(-)
+
+diff --git a/plugins/nikto_outdated.plugin b/plugins/nikto_outdated.plugin
+index 72379cc..eb1d889 100644
+--- a/plugins/nikto_outdated.plugin
++++ b/plugins/nikto_outdated.plugin
+@@ -83,7 +83,7 @@ sub nikto_outdated {
+ $sepr = substr($sepr, (length($sepr) - 1), 1);
+
+ # break up ID string on $sepr
+- my @T = split(/$sepr/, $mark->{'banner'});
++ my @T = split(/\\$sepr/, $mark->{'banner'});
+
+ # assume last is version...
+ for ($i = 0 ; $i < $#T ; $i++) { $MATCHSTRING .= "$T[$i] "; }
+diff --git a/plugins/nikto_report_csv.plugin b/plugins/nikto_report_csv.plugin
+index d13acab..b942e78 100644
+--- a/plugins/nikto_report_csv.plugin
++++ b/plugins/nikto_report_csv.plugin
+@@ -52,10 +52,12 @@ sub csv_open {
+ sub csv_host_start {
+ my ($handle, $mark) = @_;
+ $mark->{'banner'} =~ s/"/\\"/g;
+- print OUT "\"$mark->{'hostname'}\","
+- . "\"$mark->{'ip'}\","
+- . "\"$mark->{'port'}\"," . "\"\"," . "\"\"," . "\"\","
+- . "\"$mark->{'banner'}\"\n";
++ print $handle "\"" . csv_safecell($hostname) . "\","
++ . "\"" . csv_safecell($mark->{'ip'}) . "\","
++ . "\"" . csv_safecell($mark->{'port'}) . "\"," . "\"\"," . "\"\"," . "\"\","
++ #. "\"" . $mark->{'banner'} . "\"\n";
++ . "\"" . csv_safecell($mark->{'banner'}) . "\"\n";
++
+ return;
+ }
+
+@@ -65,26 +67,42 @@ sub csv_item {
+ my ($handle, $mark, $item) = @_;
+ foreach my $uri (split(' ', $item->{'uri'})) {
+ my $line = '';
+- $line .= "\"$item->{'mark'}->{'hostname'}\",";
+- $line .= "\"$item->{'mark'}->{'ip'}\",";
+- $line .= "\"$item->{'mark'}->{'port'}\",";
++ $line .= "\"" . csv_safecell($hostname) . "\",";
++ $line .= "\"" . csv_safecell($item->{'mark'}->{'ip'}) . \",";
++ $line .= "\"" . csv_safecell($item->{'mark'}->{'port'}) . "\",";
+
+ $line .= "\"";
+ if ($item->{'osvdb'} ne '') { $line .= "OSVDB-" . $item->{'osvdb'}; }
+ $line .= "\",";
+
+ $line .= "\"";
+- if ($item->{'method'} ne '') { $line .= $item->{'method'}; }
++ if ($item->{'method'} ne '') { $line .= csv_safecell($item->{'method'}); }
+ $line .= "\",";
+
+ $line .= "\"";
+- if ($uri ne '') { $line .= $mark->{'root'} . $uri; }
++ { $line .= csv_safecell($mark->{'root'}) . $uri; }
++ else { $line .= csv_safecell($ur
+ $line .= "\",";
+
+- $item->{'message'} =~ s/"/\\"/g;
+- $line .= "\"$item->{'message'}\"";
+- print $handle "$line\n";
++ my $msg = $item->{'message'};
++ $uri=quotemeta($uri);
++ my $root = quotemeta($mark->{'root'});
++ $msg =~ s/^$uri:\s//;
++ $msg =~ s/^$root$uri:\s//;
++ $msg =~ s/"/\\"/g;
++ $line .= "\"" . csv_safecell($msg) ."\"";
++ print $handle "$line\n";
++
+ }
+ }
+
++###############################################################################
++# prevent CSV injection attacks
++sub csv_safecell {
++ my $celldata = $_[0] || return;
++ if ($celldata =~ /^[=+@-]/) { $celldata = "'" . $celldata; }
++ return $celldata;
++}
++
++
+ 1;
+--
+2.6.4
+
diff --git a/recipes-security/nikto/nikto_2.1.5.bb b/recipes-security/nikto/nikto_2.1.5.bb
index 8080d4a..19eb14f 100644
--- a/recipes-security/nikto/nikto_2.1.5.bb
+++ b/recipes-security/nikto/nikto_2.1.5.bb
@@ -7,7 +7,8 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
SRC_URI = "http://cirt.net/nikto/${BP}.tar.gz \
- file://location.patch"
+ file://location.patch \
+ file://CVE-2018-11652.patch"
SRC_URI[md5sum] = "efcc98a918becb77471ee9a5df0a7b1e"
SRC_URI[sha256sum] = "0e672a6a46bf2abde419a0e8ea846696d7f32e99ad18a6b405736ee6af07509f"