Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

sles 15.2
shell weakness #4

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

sysconfig-0.85.4/tools/ifuser.c

Context:

The highlighted line of code below is the trigger point of this particular Sles 15.2 shell weakness.

 /*====================================================================*/

static void usage(char *s)
{
    fprintf(stderr, "usage: %s [-v] interface [target ...]\n", s);
    exit(1);
}

int main(int argc, char *argv[])
{
    char *dev, s[129], dest[16], mask[16], iface[10];
    route_t *r, *tbl, **tail;
    int i, verbose = 0, busy = 0;
    FILE *f;

    i = 1;
    if (argc < 2) usage(argv[0]);
    if (strcmp(argv[1], "-v") == 0) {
	verbose = 1; i++;
    }
    if ((*argv[i] == '-') || (argc < i+2)) usage(argv[0]);
    dev = argv[i]; i++;

    /* Get routing table */
    f = popen("netstat -nr", "r");
    if (f == NULL) {
	fprintf(stderr, "%s: could not get routing table: %s\n",
		argv[0], strerror(errno));
	return 2;
    }

    do {
	fgets(s, 128, f);
    } while (!feof(f) && !isdigit(s[0]));
    if (!isdigit(s[0]))
	return 0;

    tail = &tbl;
    do {
	r = malloc(sizeof(route_t));
	if (r == NULL) {
	    fprintf(stderr, "%s: out of memory\n", argv[0]);
	    return 2;
	}
	sscanf(s, "%s %*s %s %*s %*s %*s %*s %s", dest, mask, iface);
	resolv_name(dest, &r->dest);
	resolv_name(mask, &r->mask);
	r->match = (strcmp(iface, dev) == 0);
	*tail = r; tail = &(r->next);
    } while (fgets(s, 128, f) != NULL); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.