-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                     Virtual Security Research, LLC.
                        http://www.vsecurity.com/
                            Security Advisory

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: Multiple Shell Metacharacter Injections in AFFLIB
 Release Date: 2007-04-27
  Application: AFFLIB(TM)
     Versions: 2.2.0-2.2.8 and likely earlier versions
     Severity: Medium to Low
       Author: Timothy D. Morgan <tmorgan {at} vsecurity {dot} com>
Vendor Status: Vendor Notified
CVE Candidate: CVE-2007-2055
    Reference: 
    http://www.vsecurity.com/bulletins/advisories/2007/afflib-shellinject.txt
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Product Description:

> From the forensicswiki.org website[1]:

  "The Advanced Forensics Format (AFF) is an extensible open format for
   the storage of disk images and related forensic metadata. It was
   developed by Simson Garfinkel and Basis Technology."

AFFLIB(TM) is the reference implementation of the AFF(TM) format,
written primarily by Simson Garfinkel.  It comes in the form of an open
source library and a set of command line tools used to manipulate
AFF(TM) files.



Vulnerability Overview:

In mid-March, 2007 Virtual Security Research, LLC (VSR) performed a
security code review of AFFLIB(TM) as a part of an internal tool
assessment process.  As a result, multiple vulnerabilities of varying
severities were discovered. The most significant of these
vulnerabilities are being announced publicly to raise awareness and help
end-users secure themselves against potential attack.

VSR found that user-supplied command line parameters were used in
several popen() calls without validation or escaping.  The attack
vectors available are limited, which reduces the overall severity of
these problems.

These vulnerabilities remain exploitable in the latest release (2.2.8), 
even though an attempt was made to check for a set of shell 
metacharacters.  All line numbers listed below are from version 2.2.0.


Vulnerability Details:

The following sections include detailed descriptions of the specific
instances of shell metacharacter injection found during the assessment.


* Shell Command Injections in Decompression Calls *

File: tools/afconvert.cpp
Lines: 245 & 255
Platforms Affected: Unix

Description:
A command line parameter is used without validation or escaping in a
popen() call. If this command (or this function) receives parameters
from an untrusted source, code execution would be a major risk.  Lines
240-257 are included below for illustration:

    /* Check to see if it is a gzip file... */
    if(probe_gzip(infile)
       && yesno("infile looks like a gzip file","Uncompress it","Uncompressing")){
       /* Open with a subprocess. We will need to use zlib when we move to Windows. */
       char buf[256];
       sprintf(buf,"gzcat %s",infile);
       a_in = af_popen(buf,"r");
    }

    /* Check to see if it is a bzip2 file... */
    if(!a_in
       && probe_bzip2(infile)
       && yesno("infile looks like a bzip2 file","Uncompress it","Uncompressing")){
       /* Open with a subprocess. We will need to use bzip2zlib when we move to Windows. */
       char buf[256];
       sprintf(buf,"bzcat %s",infile);
       a_in = af_popen(buf,"r");
    }

    char buf[256];
    sprintf(buf,"gzcat %s",infile);
    a_in = af_popen(buf,"r");

Since af_popen() ultimately uses the popen() system call, and infile
comes directly from a command line parameter, command line special
characters could be injected if an attacker could control the input.



* Shell Command Injection in Unused get_parameter Function *

File: aimage/ident.cpp
Line: 190
Platforms Affected: Unix

Description:
A function parameter is used without validation or escaping in a popen()
call. If this function (get_parameter) received arguments from an
untrusted source, code execution would be a major risk. This function
does not appear to be called at this time.



Vendor Response:

Simson Garfinkel was first contacted on 2007-03-31. The following
timeline outlines the responses from the vendor regarding this issue:

 2007-04-01 - Vendor provided details of all vulnerabilities
              identified.  
 2007-04-03 - Continued vendor communication.
 2007-04-05 - Vendor released version 2.2.6, containing multiple
              security fixes.
 2007-04-06 - Vendor notified VSR that fixes were released.
 2007-04-09 - VSR notified vendor that 9 vulnerability instances still 
              remained in latest release.
 2007-04-12 - Vendor confirmed that remaining vulnerabilities would be
              fixed in next release.
 2007-04-25 - Vendor released versions 2.2.7 and 2.2.8.  Vendor did not 
              notify VSR.
 2007-04-27 - VSR discovered new versions were released.  VSR inspected 
              version 2.2.8 and found that no additional vulnerabilities
              were fixed.  VSR advisories published.


Recommendation:

AFFLIB(TM) users should upgrade to the newest version.  Third-party
projects which rely on AFFLIB(TM) should encourage users to upgrade,
and/or incorporate fixes into their distribution of the library.

The update is available via:

 http://www.afflib.org/downloads/

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following name to these issues.  This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

  CVE-2007-2055

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References:

1. AFF - Forensics Wiki
   http://www.forensicswiki.org/wiki/AFF

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This advisory is distributed for educational purposes only, and comes
with absolutely NO WARRANTY; not even the implied warranty of
merchantability or fitness for a particular purpose.  Virtual Security
Research, LLC nor the author accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Vulnerability Disclosure Policy:

  http://www.vsecurity.com/disclosurepolicy.html

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

AFF(TM) and AFFLIB(TM) are trademarks of Simson Garfinkel and Basis
Technology Corp.

Included source code excerpts are copyright Simson Garfinkel and Basis
Technology Corp.

This advisory is copyright (C) 2007 Virtual Security Research, LLC. All
rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGMjV8Q1RSUNR+T+gRAq8/AJ4kV2SSTjK6eNVcE6Jo5dntAfEroQCcCRMx
uSHoLJFCrlzt52B/FDTsCFc=
=EOSQ
-----END PGP SIGNATURE-----