puppy technology

Untrusted Code Execution Bug in Sicuro (Round 2)

This has been fixed as of Sicuro v0.6.0.

This is a required update. There should be no loss in functionality.

Scott Olson found a major security hole in Sicuro, 8 months (almost to the day) after the one Jens Nockert found.

Scott demonstrated that you could use the $stdin variable to get a reference to the IO class. This provided undetered access to the filesystem and shell.

The following is the code Scott used:

io=$stdin.class;f=io.new(io.sysopen("hack", "w")); f.puts "you dun goofed"; f.close

The problem was simply that since $stdin wasn’t worth using, I had forgotten to change it to a StringIO instance. However, when looking into it, I found that STDOUT, STDERR, and STDIN were vulnerable to the same issue. This led to a rather verbose change that fixed it by placing any references to IO out of scope of the untrusted code.

I highly recommend that everyone upgrade immediately. This is a major security hole, and allows access to all of the IO class.