GNOME Bugzilla – Bug 676342
remote code execution flaw in script-fu server 2.6.11
Last modified: 2012-08-16 19:28:20 UTC
There appears to be an exploitable security flaw in the script-fu server in gimp 2.6.11 Windows version (affecting both the script-fu console and the script-fu network server). This issue appears to be fixed in the latest version, 2.8.0 (although the script-fu network server does not appear to be working on my workstation (Windows 7 SP1). Are you aware of this flaw (since it appears to have been fixed somewhere along the line)? Best regards, Joe
I don't think that the server is secure at all (I'm pretty sure it allows access to any file the gimp process got access to), but what flaw are you talking about in particular?
Slightly different - there is a buffer overflow in the command parsing code such that a long command overwrites a function pointer on the heap and gives the attacker full control of EIP. You can test this by executing the following command in the script-fu console (which also gets triggered via the network server component..): (file-bmp-load 123 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa raw-filename)
Sorry, we don't fix bugs in 2.6 any longer, it's obsolete.
Oh, and btw, you should NOT (NOT NOT NOT) use script-fu server when security is a concern. It's merely a HACK, and not meant for any kind of production purposes WHATSOEVER.
ok that's fine then - I will release my security advisory with a note for users to upgrade to the latest, stable version of The GIMP (currently 2.8.0). The CVE number assigned is CVE-2012-2763. Best regards, Joe
Thanks for taking care of this. But please, rather advise users not to use script-fu-server at all. While it might be possible to make the server code itself secure, it still has access to all of GIMP's functionality, and can access whatever GIMP can access. The only safe-ish way to run it is IMO in a one-instance-per-user jailed/sandboxed/whatever environment.
Hi Michael, I think the access control issues of the script-fu network server are seperate from the buffer overflow vulnerablity and should be treated as such. Seems like the script-fu server could be fixed by implementing user authentication and transport layer encryption. Cheers, Joe
Hi Guys, Additionally to the buffer overflow, there is also a remote command execution vulnerability in scriptfu console for gimp 2.6 via the python-fu-eval scriptfu command: The following command will write "srt" to "/tmp/owned": (python-fu-eval 0 "file = open('/tmp/owned','w')\nfile.write('srt')") Cheers, Joe
See comment 4 :)
Joe, the current script-fu server is just not meant to be secure. If you run it, you provide access to your system with the privileges of the gimp (or script-fu or python) process.
Hi Micheal, I do understand that the network server was not designed to be secure. Nevertheless, there may be people out there using it without knowing the vulnerabilities inherent in it. Therefore I am obliged to release a public advisory. Just thought I'd let you know before I did so. Cheers, Joe
Joe, I understand and I fully agree. Actually, I think it would be best for all potential users if the advisory would discourage people from using the server at all, since it is inherently insecure, you'd effectively have to jail the gimp process in order to be able to use it all.
Michael, That's fine I will make sure that the solution posted says something like this: solution Due to inherent security vulnerabilities, the GIMP development team advise not using the scriptfu network server in environments where security is at all important. Cheers, Joe
The scriptfu network component in the 2.8 appears to be broken. Is this deliberate?
Not deliberate, I guess nobody tried it in ages.