Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use full path of cmd.exe #136

Merged
merged 6 commits into from
May 2, 2022
Merged

Use full path of cmd.exe #136

merged 6 commits into from
May 2, 2022

Conversation

xiaoyinl
Copy link
Contributor

This patch prevents running cmd.exe from the working directory, which may be attacker-controlled. It fixes CVE-2019-17664.

Related discussion on Ghidra: NationalSecurityAgency/ghidra#107

@xiaoyinl
Use full path of cmd.exe
2d272c0 
This patch prevents running cmd.exe from the working directory, which may be attacker-controlled. It fixes CVE-2019-17664.
@xiaoyinl
Expand SystemRoot before calling getCommandResult
64ef25d
@xiaoyinl
Copy link
Contributor Author

xiaoyinl commented Apr 6, 2022

Hi @jeff5, does this PR look good to you? Let me know if there’s anything I need to do to get this merged. Thank you.

@jeff5 jeff5 added this to the Jython 2.7.3 milestone Apr 24, 2022
@jeff5
Copy link
Member

jeff5 commented Apr 24, 2022

This looks right to me, but I shall download and verify. I think resolving the symbol SystemRoot was a good choice in the second commit.

@jeff5
Copy link
Member

jeff5 commented Apr 24, 2022

@xiaoyinl : Was there a reason for not using COMSPEC as in the discussion on NationalSecurityAgency/ghidra#107 ?

On my machine ComSpec is set from the expression %SystemRoot%\system32\cmd.exe so it's the same thing really. However, on a sufficiently old machine it might be C:\Windows\SysWOW64\cmd.exe (or C:\DOS\COMMAND.COM, in ancient history). I don't know whether we would run on such a machine, but in principle the location of cmd.exe can change.

@xiaoyinl
Copy link
Contributor Author

xiaoyinl commented Apr 24, 2022
edited

@jeff5 I didn't use ComSpec because I don't know if this environment variable always exists, and I mistakenly believed ComSpec is always the same as %SystemRoot%\system32\cmd.exe. Now I agree it's better to use ComSpec, since the location of cmd.exe can change.

Do you want to fall back to %SystemRoot%\system32\cmd.exe if ComSpec doesn't exist? Or trust ComSpec always exists, like this: Matcher m = p.matcher(Py.getCommandResult(System.getenv("ComSpec"), "/c", "ver"));

@jeff5
Copy link
Member

jeff5 commented Apr 24, 2022

I think I would assume ComSpec exists.

I have a couple of changes to push onto this PR, so don't change just yet.

@jeff5
Update NEWS and acknowledge author.
ca18d9a 
Also, line wrap at 100.
@jeff5
Copy link
Member

jeff5 commented Apr 24, 2022

@xiaoyinl : If you now pull from your PR branch you will have the the merge I made from the development tip on which you can try the ComSpec change. If it is not defined, the os version strings just end up empty strings (existing behaviour). I might reconsider that in a separate change.

When you're done, I'll squash and merge.

@xiaoyinl
Copy link
Contributor Author

@jeff5 I have made the change, and tested it: with this PR applied, sys.getwindowsversion() launches cmd.exe from the System32 directory correctly.

@jeff5 jeff5 merged commit 15e6613 into jython:master May 2, 2022
@xiaoyinl xiaoyinl deleted the patch-1 branch May 2, 2022 08:51
@jeff5
Copy link
Member

jeff5 commented May 2, 2022

@xiaoyinl : thanks for your collaboration on this.

As it is relatively minor and follows the proposals on NationalSecurityAgency/ghidra#107, we can manage without the PSF contributor agreement this time.

jeff5 added a commit to jeff5/jython that referenced this pull request May 2, 2022
@jeff5
Replace further occurrences of cmd.exe with ComSpec
bd6dc94 
This follows jython#136, fixing the same problem in other places before anyone
raises another CVE. Unfortunately, with a security manager in play, one
cannot always look up ComSpec, and a soft-fail to the hard-coded
location becomes worthwhile (full path, not cmd.exe).
@xiaoyinl xiaoyinl mentioned this pull request Jul 9, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Jython 2.7.3
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@xiaoyinl @jeff5