[CVE-2017-12904] Remote code execution

[Minoru]

Dear users,

Jeriko One discovered a vulnerability that allows a remote attacker to execute arbitrary code on your computer.

An attacker can craft an RSS item with shell code in the title and/or URL. When you bookmark such an item, your shell will execute that code. The vulnerability is triggered when bookmark-cmd is called; if you abort bookmarking before that, you're safe.

Newsbeuter versions 0.7 through 2.9 are affected.

Workaround

Update 2017.08.18: Do not use bookmarking until you apply the fix. See the comment below for details.

First of all, set bookmark-autopilot to no (that's the default.) This gives you a chance to review inputs before executing your bookmark-cmd.

Second, when bookmarking items, pay close attention to titles and URLs. I can't possibly teach you how to recognize shell code in just a few paragraphs, so if unsure, just don't bookmark the thing.

Resolution

A fix has already been pushed to our Git repository: 96e9506

I managed to get in touch with maintainers in AUR, Debian, FreeBSD and Gentoo, so if you're running one of those, an update should arrive soon. If you're running something else, I encourage you to find out who maintains Newsbeuter for your distribution, contact them and point to the aforementioned commit. They'll know what to do.

Call to security researchers

If you discover a vulnerability, please disclose it to me privately at eual.jp@gmail.com, preferably encrypting the message for PGP key 356961A20C8BFD03.

(This has also been posted on our mailing list).

[tsipinakis]

This gives you a chance to review inputs before executing your bookmark-cmd.

This is not foolproof, the following PoC gives no indication that something is up unless you open the article first.

<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
  <title>Example feed</title>
  <link href="http://example.com/blog/"/>
  <link type="application/atom+xml" rel="self" href="http://example.com/blog/atom.xml"/>
  <updated>2016-01-01T00:00:00+00:00</updated>
  <id>http://test.com.com/blog/</id>
  <author>
    <name>Test feed</name>
  </author>
  <entry>
    <title>Example feed title                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         $(echo 'RCE' >> $HOME/exploit)</title>
    <link href="http://example.com/posts/test/html"/>
    <updated>2016-01-01T00:00:00+00:00</updated>
    <id>http://example.com/posts/test</id>
    <content type="html">
     Example content
    </content>
  </entry>
</feed>

[Minoru]

I stand corrected. The original PoC by Jeriko One actually used the same technique, but i was using a different example in my testing and totally forgot about this. Thanks, @tsipinakis!

New workaround: Don't bookmark items.

I'm going to update the top post now, and also write to the mailing list.

[lfam]

FYI, the patch in 96e9506 doesn't apply to Newsbeuter 2.9, so the distros are writing their own patches.

This is what Debian is using in their Newsbeuter 2.9-5+deb9u1 package:

Description: Fix a RCE vulnerability in the bookmark command
 Newsbeuter didn't properly escape the title and description fields before
 passing them to the bookmarking program which could lead to remote code
 execution using the shells command substitution functionality (e.g. "$()", ``, 
 etc)

Origin: upstream, https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
Last-Update: 2017-08-18

--- newsbeuter-2.9.orig/src/controller.cpp
+++ newsbeuter-2.9/src/controller.cpp
@@ -1274,9 +1274,10 @@ std::string controller::bookmark(const s
        std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
        bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
        if (bookmark_cmd.length() > 0) {
-               std::string cmdline = utils::strprintf("%s '%s' %s %s",
+               std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'",
                                                       bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(),
-                                                      stfl::quote(title).c_str(), stfl::quote(description).c_str());
+                                                      utils::replace_all(title,"'", "%27").c_str(),
+                                                      utils::replace_all(description,"'", "%27").c_str());
 
                LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str());

[Minoru]

@lfam, I sent patches for 2.8 and 2.9 to all maintainers that responded to me—AUR, Debian, FreeBSD, Gentoo, and now Slackware. The one you quote above is mine.

I now realize I should've simply pushed them to the repo. So I did; see newsbeuter-2.8-cve-2017-12904 and newsbeuter-2.9-cve-2017-12904 branches. Don't mind that CI failed on both—they just got old CI configurations; rest assured that I checked both patches and they compile fine.