Vigil@nce - BSD: code execution via patch and ed
September 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can write a malicious patch with the ed syntax for
BSD, in order to run code when a victim applies this patch.
Impacted products: FreeBSD, NetBSD, OpenBSD.
Severity: 2/4.
Creation date: 31/07/2015.
DESCRIPTION OF THE VULNERABILITY
The patch tool is used to apply changes on a file tree from a diff
file indicating parts to be altered.
The ed syntax can used to write a diff. It is possible to perform
a substitution in ed with the following syntax
"(.,.)s/RE/replacement/flags". There is also a possibility to
execute a shell command if a user adds the ’!’ character before
this command.
Usually, lines with the ’!’ character are not interpreted in the
BSD patch utility. However, when a substitution command is used in
ed with ’\’ followed by a line feed inside a "replacement"
pattern, the line with ’!’ will be interpreted.
An attacker can therefore write a malicious patch with the ed
syntax for BSD, in order to run code when a victim applies this
patch.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/BSD-code-execution-via-patch-and-ed-17557