oss-sec mailing list archives
Re: Shell wildcards considered dangerous?
From: Noel Kuntze <noel.kuntze+oss-security@thermi.consulting>
Date: Mon, 9 Dec 2019 15:42:47 +0100
Hello, That is only a problem if the developer(s) foolishly didn't use "--" to terminate the command line options or they did, but the argument parser of the called program does not understand that "--" is a command line option terminator. See how the man page for GNU optarg (man 3 optarg). Quote below: [...] By default, getopt() permutes the contents of argv as it scans, so that eventually all the nonoptions are at the end. Two other modes are also implemented. If the first character of optstring is '+' or the envi‐ ronment variable POSIXLY_CORRECT is set, then option processing stops as soon as a nonoption argument is encountered. If the first character of optstring is '-', then each nonoption argv-element is handled as if it were the argument of an option with character code 1. (This is used by programs that were written to expect options and other argv-elements in any order and that care about the ordering of the two.) The special argument "--" forces an end of option-scanning regardless of the scan‐ ning mode. So no, if the developers took care and thought about this beforehand and checked, it's not a problem. TL;DR: Best practice is to do prog --arg1 --arg2 [...] -- non-opt-args Check if prog understands that -- terminates the list of passed options. Kind regards Noel Am 09.12.19 um 14:23 schrieb Georgi Guninski:
Remote version of this affects wu-ftpd from 2003: https://www.debian.org/security/2003/dsa-377 Summary: For trusted command PROGRAM, executing PROGRAM *.EXT may lead to arbitrary code execution, e.g. for PROGRAM=EXT=tar The main idea is the wildcard to add program options. Open problem: Are popular programs other than tar vulnerable? Since shell wildcards are unlikely to change, should best practice include not using *.EXT in shell? Example exploit vector: starting program in untrusted directories. Poc: ==== $rm -rf /tmp/1 ;mkdir /tmp/1 ; cd /tmp/1 ; tar cf a.tar /etc/issue $ : > --to-command="yes .tar" #end creating, starts PoC tar xf *.tar #.tar (repeats) ====
-- Noel Kuntze IT security consultant GPG Key ID: 0x0739AD6C Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
Current thread:
- Shell wildcards considered dangerous? Georgi Guninski (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)