Miroirs/slackbuilds_ponce
1
0
Fork 0
mirror of https://github.com/Ponce/slackbuilds synced 2024-11-22 19:44:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

network/nikto: Fix CVE-2018-11652.

Browse source 
(* Security fix *)

Signed-off-by: David Spencer <baildon.research@googlemail.com>
This commit is contained in:
Brenton Earl 2018-10-20 20:26:37 +01:00 committed by Willy Sudiarto Raharjo
parent d006b62d5e
commit 0d93f8e9c9
No known key found for this signature in database
GPG key ID: 887B8374D7333381
2 changed files with 112 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
network/nikto/nikto.SlackBuild
View file

@ -25,7 +25,7 @@
PRGNAM=nikto
VERSION=${VERSION:-2.1.6}
BUILD=${BUILD:-1}
BUILD=${BUILD:-2}
TAG=${TAG:-_SBo}
if [ -z "$ARCH" ]; then
@ -78,6 +78,13 @@ patch -p1 --verbose < $CWD/patches/nikto_core.plugin.diff
# Fix path for Slackware
patch -p1 --verbose < $CWD/patches/man_page.diff
# Fix CVE-2018-11652: https://nvd.nist.gov/vuln/detail/CVE-2018-11652
# Allows remote attackers to inject arbitrary OS commands via the
# server field in an HTTP response header, which is directly
# injected into a CSV report
# PoC: https://www.exploit-db.com/exploits/44899/
patch -p1 --verbose < $CWD/patches/CVE-2018-11652-CSV-injection.patch
# Install executable
if [ "$ARCH" = "x86_64" ]; then
install -Dm 755 $CWD/nikto64.sh $PKG/usr/bin/nikto

104
network/nikto/patches/CVE-2018-11652-CSV-injection.patch Normal file
View file

@ -0,0 +1,104 @@
From e759b3300aace5314fe3d30800c8bd83c81c29f7 Mon Sep 17 00:00:00 2001
From: sullo <sullo@cirt.net>
Date: Thu, 31 May 2018 23:30:03 -0400
Subject: [PATCH] Fix CSV injection issue if server responds with a malicious
Server string & CSV output is opened in Excel or other spreadsheet app.
Potentially malicious cell start characters are now prefaced with a ' mark.
Thanks to Adam (@bytesoverbombs) for letting me know!
Also fixed a crash in the outdated plugin if the $sepr field ends up being something that triggers a panic in split().
---
program/plugins/nikto_outdated.plugin | 2 +-
program/plugins/nikto_report_csv.plugin | 41 +++++++++++++++----------
2 files changed, 26 insertions(+), 17 deletions(-)
diff --git a/program/plugins/nikto_outdated.plugin b/program/plugins/nikto_outdated.plugin
index 219505c..08562c5 100644
--- a/program/plugins/nikto_outdated.plugin
+++ b/program/plugins/nikto_outdated.plugin
@@ -88,7 +88,7 @@ sub nikto_outdated {
$sepr = substr($sepr, (length($sepr) - 1), 1);
# break up ID string on $sepr
- my @T = split(/$sepr/, $mark->{'banner'});
+ my @T = split(/\\$sepr/, $mark->{'banner'});
# assume last is version...
for ($i = 0 ; $i < $#T ; $i++) { $MATCHSTRING .= "$T[$i] "; }
diff --git a/program/plugins/nikto_report_csv.plugin b/program/plugins/nikto_report_csv.plugin
index ce65cfe..76bdb3f 100644
--- a/program/plugins/nikto_report_csv.plugin
+++ b/program/plugins/nikto_report_csv.plugin
@@ -53,10 +53,11 @@ sub csv_host_start {
my ($handle, $mark) = @_;
$mark->{'banner'} =~ s/"/\\"/g;
my $hostname = $mark->{'vhost'} ? $mark->{'vhost'} : $mark->{'hostname'};
- print $handle "\"$hostname\","
- . "\"$mark->{'ip'}\","
- . "\"$mark->{'port'}\"," . "\"\"," . "\"\"," . "\"\","
- . "\"$mark->{'banner'}\"\n";
+ print $handle "\"" . csv_safecell($hostname) . "\","
+ . "\"" . csv_safecell($mark->{'ip'}) . "\","
+ . "\"" . csv_safecell($mark->{'port'}) . "\"," . "\"\"," . "\"\"," . "\"\","
+ #. "\"" . $mark->{'banner'} . "\"\n";
+ . "\"" . csv_safecell($mark->{'banner'}) . "\"\n";
return;
}
@@ -67,33 +68,41 @@ sub csv_item {
foreach my $uri (split(' ', $item->{'uri'})) {
my $line = '';
my $hostname = $item->{'mark'}->{'vhost'} ? $item->{'mark'}->{'vhost'} : $item->{'mark'}->{'hostname'};
- $line .= "\"$hostname\",";
- $line .= "\"$item->{'mark'}->{'ip'}\",";
- $line .= "\"$item->{'mark'}->{'port'}\",";
+ $line .= "\"" . csv_safecell($hostname) . "\",";
+ $line .= "\"" . csv_safecell($item->{'mark'}->{'ip'}) . \",";
+ $line .= "\"" . csv_safecell($item->{'mark'}->{'port'}) . "\",";
$line .= "\"";
if ($item->{'osvdb'} ne '') { $line .= "OSVDB-" . $item->{'osvdb'}; }
$line .= "\",";
$line .= "\"";
- if ($item->{'method'} ne '') { $line .= $item->{'method'}; }
+ if ($item->{'method'} ne '') { $line .= csv_safecell($item->{'method'}); }
$line .= "\",";
$line .= "\"";
if (($uri ne '') && ($mark->{'root'} ne '') && ($uri !~ /^$mark->{'root'}/))
- { $line .= $mark->{'root'} . $uri; }
- else { $line .= $uri; }
+ { $line .= csv_safecell($mark->{'root'}) . $uri; }
+ else { $line .= csv_safecell($uri); }
$line .= "\",";
- my $msg = $item->{'message'};
- $uri=quotemeta($uri);
- my $root = quotemeta($mark->{'root'});
- $msg =~ s/^$uri:\s//;
- $msg =~ s/^$root$uri:\s//;
+ my $msg = $item->{'message'};
+ $uri=quotemeta($uri);
+ my $root = quotemeta($mark->{'root'});
+ $msg =~ s/^$uri:\s//;
+ $msg =~ s/^$root$uri:\s//;
$msg =~ s/"/\\"/g;
- $line .= "\"$msg\"";
+ $line .= "\"" . csv_safecell($msg) ."\"";
print $handle "$line\n";
}
}
+###############################################################################
+# prevent CSV injection attacks
+sub csv_safecell {
+ my $celldata = $_[0] || return;
+ if ($celldata =~ /^[=+@-]/) { $celldata = "'" . $celldata; }
+ return $celldata;
+}
+
1;
--
2.19.1