dccsend with arguments security issue [SOLVED]

dmg · Post by **dmg** » Mon Apr 20, 2009 9:17 pm

Hi guys!

I'm a beginner at tcl scripting and i've made a script that looks something like this:

set chan "#ascii"
set botdir  "/home/dmg/hosee2"
set rootdir "$botdir/filesys"
set scrver   "getdiz"
set author   "dmg"

bind pub v !get get_file

proc get_file { nick uhost hand chan args } {
  global rootdir
  global scrver
  global author
  regsub -all -nocase {[^[:alnum:][][$\\]._()!'?^-]} [lindex $args 0] {} arg
  if { [llength $arg] != 1 } {
	putchan $chan "Usage: !get \[\[path\] <filename>\]"
	return 0
  } else {
	  set find "$rootdir/$arg"
	  set send [dccsend $find $nick]
	  putchan $chan "requesting transfer of $arg to $nick"
	  if { [passwdok $hand ""] == 1 } {
		putchan $chan "you have to set a password (or maybe you must identify yourself?)."
		return 0
	  }
  if { $send == 0 } { putchan $chan "\002ok!\002 sending file" }
  if { $send == 1 } { putchan $chan "too many connections. try again later)" }
  if { $send == 2 } { putchan $chan "can't open a socket for the transfer. try again later" }
  if { $send == 3 } { putchan $chan "the file $arg \002does not exist\002 (maybe you entered the wrong path?)" }
  if { $send == 4 } { putchan $chan "too many simultanious transfers. putting file in queue" }
  putchan $chan "---==(\\/)- $scrver by $author -(\\/)==---"
  return 1
  }
}
putlog "$scrver by $author"

Everything is fine and dandy except that i found out that it will accept any kind of argument to it so using !get ../../filename or whichever path/file not limited by local rights settings would be possible.

My question is: How could i limit the script/argument to refuse access outside of the $rootdir variable?

..oh, and if you wonder, the regexp is because the files in my archive (ascii art), can sometimes have crazy characters in the filename.

Please be gentle with me since i haven't quite understood how everything works and what everything does yet

raider2k · Post by **raider2k** » Mon Apr 20, 2009 9:49 pm

maybe i didnt quite understand what you want to do, but what i understood until now is that you want users ONLY have access to $rootdir and below but nowhere else than $rootdir and below?

if thats the case i dont see anything wrong because $rootdir is "hardcoded" and since you are using $arg as an addition to $rootdir your users will get "jailed" into $rootdir anyway.

correct me if i got something wrong

edit:

what you COULD do to limit ../../ is to add:

Code: Select all

if { [regexp -all -nocase -- {\.\./} $arg] } {
	putlog "wrong path"
	return 0
}

dmg · Post by **dmg** » Mon Apr 20, 2009 9:56 pm

yea

Any user with access to the !get command and a known filename could use it like this f.i.:

03:54 <@dMG> !get ../../../../etc/passwd
03:54 <@hosee2> requesting transfer of ../../../../etc/passwd to dMG
03:54 <@hosee2> ok! sending file
03:54 <@hosee2> ---==(\/)- getdiz by dmg -(\/)==---

so they don't seem to be jailed to the $rootdir (as i too thought first).

edit:

thx! i'll try playing around with that!

raider2k · Post by **raider2k** » Mon Apr 20, 2009 10:00 pm

03:54 <@dMG> !get ../../../../etc/passwd
03:54 <@hosee2> requesting transfer of ../../../../etc/passwd to dMG
03:54 <@hosee2> ok! sending file
03:54 <@hosee2> ---==(\/)- getdiz by dmg -(\/)==---

woah lol
yup thats really a nice one

try the possible solution i gave you, should work out fine, if not try

Code: Select all

if { [string equal -nocase "*../*" $arg] } {
   putlog "wrong path" 
   return 0
}

theres always more than one way to solve something

dmg · Post by **dmg** » Mon Apr 20, 2009 10:07 pm

Thank you very much for your help. The first example worked just fine!

Isn't that the beauty with scripting and programming that you're almost never limited to a single way to solve things

raider2k · Post by **raider2k** » Mon Apr 20, 2009 10:11 pm

definately ^^
<3 tcl