FYHTECH

FUN WITH LINUX

Remote-Code-Execution in Suricata-Update

6 April 2018

Overview

Detailed Description

The list of possible sources for suricata-update is downloaded from “https://www.openinfosecfoundation.org/rules/index.yaml” per default. Suricata-Update uses the insecure yaml.load()-function which could lead to remote code execution.

Proof-Of-Concept

Code will be executed if the yaml-file at https://openinfosecfoundation.org/rules/index.yamlcontains the following line:

hello: !!python/object/apply:os.system ['ls -l > /tmp/output']

The vulnerable function can be triggered by “suricata-update list-sources”. The locally stored index.yaml will be loaded in this function and the malicious code gets executed.

Solution

The provided fix was released in version 1.0.0b1

Credits

The remote-code-execution bug was discovered and fixed by Wolfgang Hotwagner(https://tech.feedyourhead.at/content/remote-code-execution-in-suricata-update)

[ Security  Suricata  CVE  ]
User image

My name is Wolfgang Hotwagner. I am a Linux and Information Security enthusiast from Vienna. This blog is about my journey through Computer Science.

Tag Cloud

Database One-Liner Software-Raid Docker Programming Crypto Postgresql apache Debian Mail External Anniversary Blog Open-Source Sysadmin Backup Fun PHP Bash Puppet Network Email Ruby LVM Proxy TerminalEmulator C Zsh xmas Toscom HackADay Desktop Suricata Tricks Certification logrotate Security Linux Nagios Kernel Mathematics Btrfs git vim CLI Ansible Raspberry Web ccc Shell Multimedia Perl Firewall openssl CVE Virtualization Hardware News Downloads

Recent Posts

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti