CVE-2018-11652 nikto: arbitray OS command injection via http server field.

CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report. Signed-off-by: Nagalakshmi Veeramallu <nveeramallu@mvista.com> Reviewed-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
author: Nagalakshmi Veeramallu <nveeramallu@mvista.com> 2018-06-29 15:38:25 +0530
committer: Armin Kuster <akuster808@gmail.com> 2018-07-03 15:30:51 -0700
commit: a1406fe1c88308da81af907d11d21e2c03ee0c01 (patch)
tree: 740cb0d79d0026f3e005664380d1256df1aa16ac /recipes-security/nikto/files
parent: 055100292270cc2bb706df97ca308191435babf5 (diff)
download: meta-security-a1406fe1c88308da81af907d11d21e2c03ee0c01.tar.gz
1 files changed, 106 insertions, 0 deletions
diff --git a/recipes-security/nikto/files/CVE-2018-11652.patch b/recipes-security/nikto/files/CVE-2018-11652.patch
new file mode 100644
index 0000000..5ddb169
--- /dev/null
+++ b/recipes-security/nikto/files/CVE-2018-11652.patch
@@ -0,0 +1,106 @@
+From e759b3300aace5314fe3d30800c8bd83c81c29f7 Mon Sep 17 00:00:00 2001
+From: sullo <sullo@cirt.net>
+Date: Thu, 31 May 2018 23:30:03 -0400
+Subject: [PATCH] Fix CSV injection issue if server responds with a malicious
+ Server string & CSV output is opened in Excel or other spreadsheet app.
+ Potentially malicious cell start characters are now prefaced with a ' mark.
+ Thanks to Adam (@bytesoverbombs) for letting me know!
+Also fixed a crash in the outdated plugin if the $sepr field ends up being something that triggers a panic in split().
+CVE: CVE-2018-11652
+Upstream-Status: Backport
+Signed-off-by: Nagalakshmi Veeramallu <nveeramallu@mvista.com>
+---
+ plugins/nikto_outdated.plugin   |  2 +-
+ plugins/nikto_report_csv.plugin | 42 +++++++++++++++++++++++++++++------------
+ 2 files changed, 31 insertions(+), 13 deletions(-)
+diff --git a/plugins/nikto_outdated.plugin b/plugins/nikto_outdated.plugin
+index 72379cc..eb1d889 100644
+--- a/plugins/nikto_outdated.plugin
+++ b/plugins/nikto_outdated.plugin
+@@ -83,7 +83,7 @@ sub nikto_outdated {
+             $sepr = substr($sepr, (length($sepr) - 1), 1);
+ 
+             # break up ID string on $sepr
+-            my @T = split(/$sepr/, $mark->{'banner'});
+            my @T = split(/\\$sepr/, $mark->{'banner'});
+ 
+             # assume last is version...
+             for ($i = 0 ; $i < $#T ; $i++) { $MATCHSTRING .= "$T[$i] "; }
+diff --git a/plugins/nikto_report_csv.plugin b/plugins/nikto_report_csv.plugin
+index d13acab..b942e78 100644
+--- a/plugins/nikto_report_csv.plugin
+++ b/plugins/nikto_report_csv.plugin
+@@ -52,10 +52,12 @@ sub csv_open {
+ sub csv_host_start {
+     my ($handle, $mark) = @_;
+     $mark->{'banner'} =~ s/"/\\"/g;
+-    print OUT "\"$mark->{'hostname'}\","
+-      . "\"$mark->{'ip'}\","
+-      . "\"$mark->{'port'}\"," . "\"\"," . "\"\"," . "\"\","
+-      . "\"$mark->{'banner'}\"\n";
+    print $handle "\"" . csv_safecell($hostname) . "\","
+      . "\"" . csv_safecell($mark->{'ip'}) . "\","
+      . "\"" . csv_safecell($mark->{'port'}) . "\"," . "\"\"," . "\"\"," . "\"\","
+      #. "\"" . $mark->{'banner'} . "\"\n";
+      . "\"" . csv_safecell($mark->{'banner'}) . "\"\n";
+
+     return;
+ }
+ 
+@@ -65,26 +67,42 @@ sub csv_item {
+     my ($handle, $mark, $item) = @_;
+     foreach my $uri (split(' ', $item->{'uri'})) {
+         my $line = '';
+-        $line .= "\"$item->{'mark'}->{'hostname'}\",";
+-        $line .= "\"$item->{'mark'}->{'ip'}\",";
+-        $line .= "\"$item->{'mark'}->{'port'}\",";
+        $line .= "\"" . csv_safecell($hostname) . "\",";
+        $line .= "\"" . csv_safecell($item->{'mark'}->{'ip'}) . \",";
+        $line .= "\"" . csv_safecell($item->{'mark'}->{'port'}) . "\",";
+ 
+         $line .= "\"";
+         if ($item->{'osvdb'} ne '') { $line .= "OSVDB-" . $item->{'osvdb'}; }
+         $line .= "\",";
+ 
+         $line .= "\"";
+-        if ($item->{'method'} ne '') { $line .= $item->{'method'}; }
+        if ($item->{'method'} ne '') { $line .= csv_safecell($item->{'method'}); }
+         $line .= "\",";
+ 
+         $line .= "\"";
+-        if ($uri ne '') { $line .= $mark->{'root'} . $uri; }
+                       { $line .= csv_safecell($mark->{'root'}) . $uri; }
+               else { $line .= csv_safecell($ur
+         $line .= "\",";
+ 
+-        $item->{'message'} =~ s/"/\\"/g;
+-        $line .= "\"$item->{'message'}\"";
+-        print $handle "$line\n";
+       my $msg = $item->{'message'};
+       $uri=quotemeta($uri);
+       my $root = quotemeta($mark->{'root'});
+       $msg =~ s/^$uri:\s//;
+       $msg =~ s/^$root$uri:\s//;
+         $msg =~ s/"/\\"/g;
+        $line .= "\"" . csv_safecell($msg) ."\"";
+         print $handle "$line\n";
+
+     }
+ }
+ 
+###############################################################################
+# prevent CSV injection attacks
+sub csv_safecell {
+    my $celldata = $_[0] || return;
+    if ($celldata =~ /^[=+@-]/) { $celldata = "'" . $celldata; }
+    return $celldata;
+}
+
+
+ 1;
+-- 
+2.6.4
author	Nagalakshmi Veeramallu <nveeramallu@mvista.com>	2018-06-29 15:38:25 +0530
committer	Armin Kuster <akuster808@gmail.com>	2018-07-03 15:30:51 -0700
commit	a1406fe1c88308da81af907d11d21e2c03ee0c01 (patch)
tree	740cb0d79d0026f3e005664380d1256df1aa16ac /recipes-security/nikto/files
parent	055100292270cc2bb706df97ca308191435babf5 (diff)
download	meta-security-a1406fe1c88308da81af907d11d21e2c03ee0c01.tar.gz

diff --git a/recipes-security/nikto/files/CVE-2018-11652.patch b/recipes-security/nikto/files/CVE-2018-11652.patch new file mode 100644 index 0000000..5ddb169 --- /dev/null +++ b/recipes-security/nikto/files/CVE-2018-11652.patch
@@ -0,0 +1,106 @@
	1	From e759b3300aace5314fe3d30800c8bd83c81c29f7 Mon Sep 17 00:00:00 2001
	2	From: sullo <sullo@cirt.net>
	3	Date: Thu, 31 May 2018 23:30:03 -0400
	4	Subject: [PATCH] Fix CSV injection issue if server responds with a malicious
	5	Server string & CSV output is opened in Excel or other spreadsheet app.
	6	Potentially malicious cell start characters are now prefaced with a ' mark.
	7	Thanks to Adam (@bytesoverbombs) for letting me know!
	8
	9	Also fixed a crash in the outdated plugin if the $sepr field ends up being something that triggers a panic in split().
	10
	11	CVE: CVE-2018-11652
	12	Upstream-Status: Backport
	13	Signed-off-by: Nagalakshmi Veeramallu <nveeramallu@mvista.com>
	14	---
	15	plugins/nikto_outdated.plugin \| 2 +-
	16	plugins/nikto_report_csv.plugin \| 42 +++++++++++++++++++++++++++++------------
	17	2 files changed, 31 insertions(+), 13 deletions(-)
	18
	19	diff --git a/plugins/nikto_outdated.plugin b/plugins/nikto_outdated.plugin
	20	index 72379cc..eb1d889 100644
	21	--- a/plugins/nikto_outdated.plugin
	22	+++ b/plugins/nikto_outdated.plugin
	23	@@ -83,7 +83,7 @@ sub nikto_outdated {
	24	$sepr = substr($sepr, (length($sepr) - 1), 1);
	25
	26	# break up ID string on $sepr
	27	- my @T = split(/$sepr/, $mark->{'banner'});
	28	+ my @T = split(/\\$sepr/, $mark->{'banner'});
	29
	30	# assume last is version...
	31	for ($i = 0 ; $i < $#T ; $i++) { $MATCHSTRING .= "$T[$i] "; }
	32	diff --git a/plugins/nikto_report_csv.plugin b/plugins/nikto_report_csv.plugin
	33	index d13acab..b942e78 100644
	34	--- a/plugins/nikto_report_csv.plugin
	35	+++ b/plugins/nikto_report_csv.plugin
	36	@@ -52,10 +52,12 @@ sub csv_open {
	37	sub csv_host_start {
	38	my ($handle, $mark) = @_;
	39	$mark->{'banner'} =~ s/"/\\"/g;
	40	- print OUT "\"$mark->{'hostname'}\","
	41	- . "\"$mark->{'ip'}\","
	42	- . "\"$mark->{'port'}\"," . "\"\"," . "\"\"," . "\"\","
	43	- . "\"$mark->{'banner'}\"\n";
	44	+ print $handle "\"" . csv_safecell($hostname) . "\","
	45	+ . "\"" . csv_safecell($mark->{'ip'}) . "\","
	46	+ . "\"" . csv_safecell($mark->{'port'}) . "\"," . "\"\"," . "\"\"," . "\"\","
	47	+ #. "\"" . $mark->{'banner'} . "\"\n";
	48	+ . "\"" . csv_safecell($mark->{'banner'}) . "\"\n";
	49	+
	50	return;
	51	}
	52
	53	@@ -65,26 +67,42 @@ sub csv_item {
	54	my ($handle, $mark, $item) = @_;
	55	foreach my $uri (split(' ', $item->{'uri'})) {
	56	my $line = '';
	57	- $line .= "\"$item->{'mark'}->{'hostname'}\",";
	58	- $line .= "\"$item->{'mark'}->{'ip'}\",";
	59	- $line .= "\"$item->{'mark'}->{'port'}\",";
	60	+ $line .= "\"" . csv_safecell($hostname) . "\",";
	61	+ $line .= "\"" . csv_safecell($item->{'mark'}->{'ip'}) . \",";
	62	+ $line .= "\"" . csv_safecell($item->{'mark'}->{'port'}) . "\",";
	63
	64	$line .= "\"";
	65	if ($item->{'osvdb'} ne '') { $line .= "OSVDB-" . $item->{'osvdb'}; }
	66	$line .= "\",";
	67
	68	$line .= "\"";
	69	- if ($item->{'method'} ne '') { $line .= $item->{'method'}; }
	70	+ if ($item->{'method'} ne '') { $line .= csv_safecell($item->{'method'}); }
	71	$line .= "\",";
	72
	73	$line .= "\"";
	74	- if ($uri ne '') { $line .= $mark->{'root'} . $uri; }
	75	+ { $line .= csv_safecell($mark->{'root'}) . $uri; }
	76	+ else { $line .= csv_safecell($ur
	77	$line .= "\",";
	78
	79	- $item->{'message'} =~ s/"/\\"/g;
	80	- $line .= "\"$item->{'message'}\"";
	81	- print $handle "$line\n";
	82	+ my $msg = $item->{'message'};
	83	+ $uri=quotemeta($uri);
	84	+ my $root = quotemeta($mark->{'root'});
	85	+ $msg =~ s/^$uri:\s//;
	86	+ $msg =~ s/^$root$uri:\s//;
	87	+ $msg =~ s/"/\\"/g;
	88	+ $line .= "\"" . csv_safecell($msg) ."\"";
	89	+ print $handle "$line\n";
	90	+
	91	}
	92	}
	93
	94	+###############################################################################
	95	+# prevent CSV injection attacks
	96	+sub csv_safecell {
	97	+ my $celldata = $_[0] \|\| return;
	98	+ if ($celldata =~ /^[=+@-]/) { $celldata = "'" . $celldata; }
	99	+ return $celldata;
	100	+}
	101	+
	102	+
	103	1;
	104	--
	105	2.6.4
	106