TOR-013 pen-torproject#13: helper-scripts - Newline Injection in badconf-entry due to insecure Fingerprint validation

ue to insufficient validation of fingerprints, attackers can inject new lines leading to manipulated config entries.

added ~7001 ~4424 labels

changed the description

changed the description

Author Maintainer

Technical Description

The load_args_as_fp function reads and validates a fingerprint via argv. Afterward, the fingerprint is written to the config approved-routers.d/approved-routers.conf. However, due to insufficient fingerprint validation, attackers may be able to create new config entries by injecting new lines via fingerprints.

helper-scripts/badconf-entry.py

def main():
    """ Entry point of script. """
    # Load arguments and consider them as fingerprints which are put in fps.
    load_args_as_fp(sys.argv, fps)
    [...]
    with open("approved-routers.d/approved-routers.conf", 'a') as routers_conf:
        routers_conf.write(comment_template_reject % \
                           (identifier, reported_by, date, expiry, message_id, reason))
        for fp in fps:
            routers_conf.write("!reject %s\n" % fp)

helper-scripts/util.py

def load_args_as_fp(args, fps):
    # Try to load the filename as arg.
    [...]
        else:
            # Filename is probably a fingerprint.
            fp = args[1].strip()
            fps.append(fp)
            if len(fp) != 40:
                print("[-] Filename %s not found or not valid fingerprint" % \
                      (filename))
                sys.exit(1)
            print("[+] Testing fingerprint %s" % (fp))
    else:
        print("[-] Missing filename or fingerprint. Stopping.")
        sys.exit(1)

Proof of Concept

python3 badconf-entry.py $'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nB'

-> Content of approved-routers.d/approved-routers.conf
# Identifier: ddce6a0a3aee7c0e
# Reported-by: x@x.c
# Date: 
# Expire: 30
# Gitlab issue: 
# Reason: 
!reject AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
B

Author Maintainer

Impact

This vulnerability can lead to different levels of severity depending on the application. For example, the code could be used as a library in the future, allowing attackers to manipulate config files remotely. At the time of the pentest, it was a simple helper script for manual work; therefore, this vulnerability was rated as Low.

Author Maintainer

Recommendation

Validate the fingerprint with the regular expression ^[0-9A-Fa-f]{40}$ or use stem.

Author Maintainer

Type

CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')