Page MenuHomePhabricator
Create Task
Maniphest T258763

Vulnerabilities in firejail due to --output (CVE-2020-17367, CVE-2020-17368)
Closed, ResolvedPublicSecurity
Actions

Description

I discovered two vulnerabilities with the handling of firejail's --output parameter, which could potentially impact on MediaWiki's use of firejail:

  • firejail searches for --output anywhere in argv, it does not respect the end-of-options tag "--". So when MediaWiki forms a firejail command line by concatenating the firejail invocation with the main shell command, any "--output" option in the main shell command would be interpreted by firejail as an output parameter. This causes firejail to write the command's stdout (or stderr with --output-stderr) to the specified file.
  • When --output or --output-stderr are specified, firejail forms the command line arguments into a single string and re-executes the resulting command via bash -c. It does this without any quoting or escaping, it just separates the arguments with spaces. So effectively, properly quoted parameters in the original command are unquoted and interpreted for shell metacharacters.

Together, these vulnerabilities mean that if wfShellExec(), Shell::command() or any of their variants are executed by MediaWiki with unprefixed user input as one of the command parameters, the result is a shell execution vulnerability. The shell execution happens before firejail sets up its jail -- it is not constrained.

I reported this vulnerability to netblue30@yahoo.com per the firejail security policy at https://github.com/netblue30/firejail/security/policy .

Details

ProjectBranchLines +/-Subject
mediawiki/coremaster+40 -0SECURITY: Prevent invoking firejail's --output functionality
mediawiki/coreREL1_35+42 -0SECURITY: Prevent invoking firejail's --output functionality
mediawiki/coreREL1_34+42 -0SECURITY: Prevent invoking firejail's --output functionality
mediawiki/coreREL1_31+42 -0SECURITY: Prevent invoking firejail's --output functionality
Customize query in gerrit

Related Objects
Search...

Event Timeline

tstarling created this task.Jul 24 2020, 12:46 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 24 2020, 12:46 AM
tstarling added a project: Upstream.Jul 24 2020, 12:46 AM
Legoktm mentioned this in T257062: Lilypond seemingly not subject to restrictions (CVE-2020-29007).Jul 24 2020, 12:49 AM
Legoktm added projects: Patch-For-Review, MediaWiki-Shell.

The PoC from IRC was: MediaWiki\Shell\Shell::command('echo', 'a', '--output=/tmp/fjout',';id')->execute()->getStdout();

0001-SECURITY-Prevent-invoking-firejail-s-output-function.patch1 KBDownload

Proposed patch that checks every arg passed to FirejailCommand to ensure it doesn't start with --output.

tstarling added a comment.Jul 24 2020, 2:48 AM
In T258763#6331674, @Legoktm wrote:

Proposed patch that checks every arg passed to FirejailCommand to ensure it doesn't start with --output.

I deployed it.

Reedy moved this task from Incoming to Watching on the Security-Team board.Jul 27 2020, 3:10 PM
Reedy added a parent task: T256335: Tracking bug for MediaWiki 1.31.9/1.34.3/1.35.0.
tstarling triaged this task as Low priority.Jul 27 2020, 11:42 PM

We can leave this open for now to track the upstream issue.

tstarling added a comment.Jul 28 2020, 2:50 AM

Since there was no response from netblue30, I sent an email to Reiner Herrmann, as suggested by @Legoktm.

Legoktm added a comment.Aug 6 2020, 8:30 PM

This is public now: https://lists.debian.org/debian-security-announce/2020/msg00149.html

Legoktm added a comment.Aug 6 2020, 8:45 PM

Updated patch references the CVE IDs and includes a basic unit test.

0001-SECURITY-Prevent-invoking-firejail-s-output-function.patch2 KBDownload

Reedy mentioned this in T256335: Tracking bug for MediaWiki 1.31.9/1.34.3/1.35.0.Sep 7 2020, 10:28 PM
Reedy closed this task as Resolved.Sep 21 2020, 11:38 PM
Reedy assigned this task to Legoktm.
Reedy added a subscriber: Reedy.

Resolving for ease of tracking in parent.

Can be either reopened when the release is done (end of the week), or if we want to fork into another task for the continued work...

Though, we might want to keep this private (for now?) until upstream addresses the issue too?

Reedy mentioned this in T256341: Obtain CVEs for 1.31.9/1.34.3/1.35.0 security releases.Sep 22 2020, 9:41 PM
Reedy removed a project: Patch-For-Review.Sep 24 2020, 11:17 PM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".
Reedy changed the edit policy from "Custom Policy" to "All Users".
Legoktm renamed this task from Vulnerabilities in firejail due to --output to Vulnerabilities in firejail due to --output (CVE-2020-17367, CVE-2020-17368).Sep 27 2020, 11:57 AM
Reedy mentioned this in T268583: `Fatal exception of type "RuntimeException" ` when voting.Nov 24 2020, 12:13 AM
BEANS-X2 added a subscriber: BEANS-X2.Aug 25 2021, 4:11 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL