diff options
author | Brenton Earl <brent@exitstatusone.com> | 2018-10-20 20:26:37 +0100 |
---|---|---|
committer | Willy Sudiarto Raharjo <willysr@slackbuilds.org> | 2018-10-21 06:47:01 +0700 |
commit | 0d93f8e9c9e07ec1fcc204fbd9564a00e20a9359 (patch) | |
tree | c989fdfe0a64a22c343c5f8ec206f46b5221ecb5 | |
parent | d006b62d5e07c6149c828f219435332b42f8b7c8 (diff) |
network/nikto: Fix CVE-2018-11652.
(* Security fix *)
Signed-off-by: David Spencer <baildon.research@googlemail.com>
-rw-r--r-- | network/nikto/nikto.SlackBuild | 9 | ||||
-rw-r--r-- | network/nikto/patches/CVE-2018-11652-CSV-injection.patch | 104 |
2 files changed, 112 insertions, 1 deletions
diff --git a/network/nikto/nikto.SlackBuild b/network/nikto/nikto.SlackBuild index 118f4d949af4..ac6cd320fe67 100644 --- a/network/nikto/nikto.SlackBuild +++ b/network/nikto/nikto.SlackBuild @@ -25,7 +25,7 @@ PRGNAM=nikto VERSION=${VERSION:-2.1.6} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} TAG=${TAG:-_SBo} if [ -z "$ARCH" ]; then @@ -78,6 +78,13 @@ patch -p1 --verbose < $CWD/patches/nikto_core.plugin.diff # Fix path for Slackware patch -p1 --verbose < $CWD/patches/man_page.diff +# Fix CVE-2018-11652: https://nvd.nist.gov/vuln/detail/CVE-2018-11652 +# Allows remote attackers to inject arbitrary OS commands via the +# server field in an HTTP response header, which is directly +# injected into a CSV report +# PoC: https://www.exploit-db.com/exploits/44899/ +patch -p1 --verbose < $CWD/patches/CVE-2018-11652-CSV-injection.patch + # Install executable if [ "$ARCH" = "x86_64" ]; then install -Dm 755 $CWD/nikto64.sh $PKG/usr/bin/nikto diff --git a/network/nikto/patches/CVE-2018-11652-CSV-injection.patch b/network/nikto/patches/CVE-2018-11652-CSV-injection.patch new file mode 100644 index 000000000000..81ebc2cb526b --- /dev/null +++ b/network/nikto/patches/CVE-2018-11652-CSV-injection.patch @@ -0,0 +1,104 @@ +From e759b3300aace5314fe3d30800c8bd83c81c29f7 Mon Sep 17 00:00:00 2001 +From: sullo <sullo@cirt.net> +Date: Thu, 31 May 2018 23:30:03 -0400 +Subject: [PATCH] Fix CSV injection issue if server responds with a malicious + Server string & CSV output is opened in Excel or other spreadsheet app. + Potentially malicious cell start characters are now prefaced with a ' mark. + Thanks to Adam (@bytesoverbombs) for letting me know! + +Also fixed a crash in the outdated plugin if the $sepr field ends up being something that triggers a panic in split(). +--- + program/plugins/nikto_outdated.plugin | 2 +- + program/plugins/nikto_report_csv.plugin | 41 +++++++++++++++---------- + 2 files changed, 26 insertions(+), 17 deletions(-) + +diff --git a/program/plugins/nikto_outdated.plugin b/program/plugins/nikto_outdated.plugin +index 219505c..08562c5 100644 +--- a/program/plugins/nikto_outdated.plugin ++++ b/program/plugins/nikto_outdated.plugin +@@ -88,7 +88,7 @@ sub nikto_outdated { + $sepr = substr($sepr, (length($sepr) - 1), 1); + + # break up ID string on $sepr +- my @T = split(/$sepr/, $mark->{'banner'}); ++ my @T = split(/\\$sepr/, $mark->{'banner'}); + + # assume last is version... + for ($i = 0 ; $i < $#T ; $i++) { $MATCHSTRING .= "$T[$i] "; } +diff --git a/program/plugins/nikto_report_csv.plugin b/program/plugins/nikto_report_csv.plugin +index ce65cfe..76bdb3f 100644 +--- a/program/plugins/nikto_report_csv.plugin ++++ b/program/plugins/nikto_report_csv.plugin +@@ -53,10 +53,11 @@ sub csv_host_start { + my ($handle, $mark) = @_; + $mark->{'banner'} =~ s/"/\\"/g; + my $hostname = $mark->{'vhost'} ? $mark->{'vhost'} : $mark->{'hostname'}; +- print $handle "\"$hostname\"," +- . "\"$mark->{'ip'}\"," +- . "\"$mark->{'port'}\"," . "\"\"," . "\"\"," . "\"\"," +- . "\"$mark->{'banner'}\"\n"; ++ print $handle "\"" . csv_safecell($hostname) . "\"," ++ . "\"" . csv_safecell($mark->{'ip'}) . "\"," ++ . "\"" . csv_safecell($mark->{'port'}) . "\"," . "\"\"," . "\"\"," . "\"\"," ++ #. "\"" . $mark->{'banner'} . "\"\n"; ++ . "\"" . csv_safecell($mark->{'banner'}) . "\"\n"; + return; + } + +@@ -67,33 +68,41 @@ sub csv_item { + foreach my $uri (split(' ', $item->{'uri'})) { + my $line = ''; + my $hostname = $item->{'mark'}->{'vhost'} ? $item->{'mark'}->{'vhost'} : $item->{'mark'}->{'hostname'}; +- $line .= "\"$hostname\","; +- $line .= "\"$item->{'mark'}->{'ip'}\","; +- $line .= "\"$item->{'mark'}->{'port'}\","; ++ $line .= "\"" . csv_safecell($hostname) . "\","; ++ $line .= "\"" . csv_safecell($item->{'mark'}->{'ip'}) . \","; ++ $line .= "\"" . csv_safecell($item->{'mark'}->{'port'}) . "\","; + + $line .= "\""; + if ($item->{'osvdb'} ne '') { $line .= "OSVDB-" . $item->{'osvdb'}; } + $line .= "\","; + + $line .= "\""; +- if ($item->{'method'} ne '') { $line .= $item->{'method'}; } ++ if ($item->{'method'} ne '') { $line .= csv_safecell($item->{'method'}); } + $line .= "\","; + + $line .= "\""; + if (($uri ne '') && ($mark->{'root'} ne '') && ($uri !~ /^$mark->{'root'}/)) +- { $line .= $mark->{'root'} . $uri; } +- else { $line .= $uri; } ++ { $line .= csv_safecell($mark->{'root'}) . $uri; } ++ else { $line .= csv_safecell($uri); } + $line .= "\","; + +- my $msg = $item->{'message'}; +- $uri=quotemeta($uri); +- my $root = quotemeta($mark->{'root'}); +- $msg =~ s/^$uri:\s//; +- $msg =~ s/^$root$uri:\s//; ++ my $msg = $item->{'message'}; ++ $uri=quotemeta($uri); ++ my $root = quotemeta($mark->{'root'}); ++ $msg =~ s/^$uri:\s//; ++ $msg =~ s/^$root$uri:\s//; + $msg =~ s/"/\\"/g; +- $line .= "\"$msg\""; ++ $line .= "\"" . csv_safecell($msg) ."\""; + print $handle "$line\n"; + } + } + ++############################################################################### ++# prevent CSV injection attacks ++sub csv_safecell { ++ my $celldata = $_[0] || return; ++ if ($celldata =~ /^[=+@-]/) { $celldata = "'" . $celldata; } ++ return $celldata; ++} ++ + 1; +-- +2.19.1 + |