Full Disclosure mailing list archives

By Date By Thread Exploiting Wildcard Expansion on Linux From: Stephen Chavez <elysium.xen () gmail com>

Date: Mon, 23 Jun 2014 23:08:33 -0600

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I found a way to abuse "*" in bash. I can make an arbitrary code execution attack. This is a well-known problem, but it still surprises a lot of people. It's been discussed on this list before: http://seclists.org/fulldisclosure/2011/Sep/190 Suppose we have control over the contents of a directory, and inside that directory our victim will run the following command. Imagine, for example, that the user just downloaded a web application's source code from the attacker's website and is uploading the files to their web server. $ scp * user () example org:/var/www/ To exploit this command, in the directory we place these files. - - "-o" - SCP will interpret this file as the "-o" switch. - - "ProxyCommand sh supercool.sh %h %p" - SCP will interpret this file's name as the argument to the "-o" switch. - - "supercool.sh" - The script that will run, containing the attacker's code. - - "zzz.txt" - Another file in the directory which serves no purpose for the exploit. Inside "supercool.sh", we have a script that will do what "ProxyCommand" is supposed to do, along with some malicious commands. When the victim runs their scp command, it will appear successful: $ scp * user () example org:/var/www/ supercool.sh zzz.txt But really, supercool.sh has executed, and we now have control of the user's system. You can read the full details about this attack and download the entire proof of concept directory on my site here: https://dicesoft.net/projects/wildcard-code-execution-exploit.htm -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJTqQfRAAoJEBsfdfEZ3/nFnusP/RslQNnbu1XyUWlNprk26E5l M7G76iCqCTytcOUA9cYGa1eMwKw+Lv0uNxPkntNa63Ev6/HUTtHQtJ0iHXq3+d0A b7rqgSsptznsmL9tfkogI12OrWw++XVVAzp94KPo3bUTpejKnEf3Um4NZ/dSr9ZA uMatpa8CU37YQ69gkZ5kbYxYJaMGijg9ojG7cvDg5vnjW8x/kzHqxPRYxfIdgkOT WiqmoZ+2s+C3FRQyNfYTI6aapUar4tINsIPvs96UBsTap4T19XdhJKEKPDMBy7LN jjMv3r12AFyJHP5Y2sIn/7KPksl4F/dwsBaBa6agPvYp/5h1IyGEkHmrfCDG+4Hf tj4XKVYJ17J/3SuKMXgSnTdMWv1NRkCxx667N4jIUUsZfmKsQOdbZIbr76mRVYa3 1PjAY/JoLzgH0/wGbXN9dXDjpCQd9yEQ3VUUs0/1JLcjaffzCD7ta9wi/GINgOdd 0Hq6fSCv8CNAFI80SZ7LLhUu10cRwCxe0B+chDpK+1s5MeI7rhFuxsoEQO9tBQ1f CKDvagQ1wAJWnzlrXDgaemXAcJ3R22UMX3+ogoPVt2LPP6Puc1o7+n6NNF3VP/CP BmeDPksOWd1E55C8Qu5Q02hfEEn9JL/r/mtQbNuT2Eh7jnrKJos4owep2tALOEbq XmhYbkTqB/vTwZ21DNMu =uwV1 -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Exploiting Wildcard Expansion on Linux Stephen Chavez (Jun 24)