Bugzilla – Bug 1114853
VUL-1: CVE-2018-20106: yast2-printer: SMB printer settings test fails if the password includes a backtick
Last modified: 2023-03-22 14:07:12 UTC
In YaST printer settings, connection wizard, SMB/CIFS option, if the password of the user includes a backtick character, YaST always fails the connection test with the error: sh: -c: line 0: unexpected EOF while looking for matching ``' sh: -c: line 1: syntax error: unexpected end of file If that backtick is escaped with a backslash, it works, but the backslash is considered to be a part of the password... So then it fails to actually print. So either the connection test succeeds, or the printing succeeds, not both. On a somewhat related note, I wonder if there is a way to specify that the username and password ought to be requested every time from the user, instead of being stored on disk.
This is a security issue. I'm currently looking at issues like these in bsc#353876, but we can track this one already here
Confirmed on Leap 15.0: Print via Network > Connection Wizard > Windows...(SMB/CIFS) > fill in Server+Printer+User+Password `xeyes` > Test Connection y2log says: 2018-11-15 14:07:33 <1> dhcp52(2290) [Ruby] modules/Printerlib.rb:97 Executing bash commandline: /usr/lib/YaST2/bin/test_remote_smb "myworkgroup" "myserver" "myprinter" "myuser" "mypass`xeyes`" 5
As far as I remember at the time when the yast2-printer test scripts /usr/lib/YaST2/bin/test_device /usr/lib/YaST2/bin/test_remote_ipp /usr/lib/YaST2/bin/test_remote_lpd /usr/lib/YaST2/bin/test_remote_novell /usr/lib/YaST2/bin/test_remote_smb /usr/lib/YaST2/bin/test_remote_socket were made the reasoning why there are no input value checks was that when those scripts are called from the YaST printer module it was 'root' who made the inputs values. If root thinks it is a good idea to use e.g. '$( rm -rf / )' as password, he should know about possible consequences. Even when those scripts are called by another user that user should also know how things work. As far as I remember from the past (since a longer time I do no longer work on YaST modules - my last yast2-printer RPM changelog entry is from Jan. 2015) there are in general no such kind of input value checks in YaST so that root could provide e.g. '$( rm -rf / )' at many places in YaST.
(In reply to Johannes Meixner from comment #3) We have two problems here. One is usability. Some passwords just don't work, so we need to fix it anyway. The other is a security problem. You're correct that root specifies these values, so we could go with the 'he has the right to shoot himself' argument. But we would like to add additional hardening measures since it's hard to judge if the input might not come from an untrusted source later on. So as a hardening measure we currently check problems like these (bsc#353876) and want to have them fixed.
I don't agree with the argument to begin with; if root sets the password as '$( rm -rf / )', they expect that this will make it so that the password is '$( rm -rf / )', rather than executing the password as a command. (Also, in this case the password is not root's, it's the printer's, so the user may have no control over what it is.)
I assigned CVE-2018-20106 for further tracking
Looking at the code of connectionwizard.rb [1] it seems that the vulnerable code was introduced with commit 5305ab79, which converted YCP files into Ruby. The code prior to that looks also vulnerable to this, although I did not test it. Unfortunately tags are not being used consistently, so I don't know which exact versions and/or codestreams are affected by this: password = (string)UI::QueryWidget( `pass, `Value ); test_command = sformat( "%1test_remote_smb \"%2\" \"%3\" \"%4\" \"%5\" \"%6\" %7", Printerlib::yast_bin_dir, workgroup, host, queue, user, password, timeout ); if( ! Printerlib::ExecuteBashCommand( test_command) ) It was first introduced with commit fe970eca. Prior to that the code looked something like that: if( size( smb["user"]:"" ) > 0 && size( smb["pass"]:"" ) > 0 ) { connection_uri = sformat( "%1%2:%3@", connection_uri, smb["user"]:"", smb["pass"]:"" ); } This connection_uri string is then handed over to the Printer object, but no Bash invocation is happening here (at least not in this module). After having a quick look at the the code in question, I couldn't find any suspicious looking command execution. However, I might have missed something. [1]: https://github.com/yast/yast-printer/blob/master/src/include/printer/connectionwizard.rb#L2972
Got fixed via https://build.opensuse.org/request/show/689019
so far not fixed for SUSE:SLE-12-SP3:Update/yast2-printer we should still fix it there if possible.