Date: Mon, 9 Dec 2019 15:42:47 +0100 From: Noel Kuntze <noel.kuntze+oss-security@...rmi.consulting> To: oss-security@...ts.openwall.com Subject: Re: Shell wildcards considered dangerous? Hello, That is only a problem if the developer(s) foolishly didn't use "--" to terminate the command line options or they did, but the argument parser of the called program does not understand that "--" is a command line option terminator. See how the man page for GNU optarg (man 3 optarg). Quote below: [...] By default, getopt() permutes the contents of argv as it scans, so that eventually all the nonoptions are at the end. Two other modes are also implemented. If the first character of optstring is '+' or the envi‐ ronment variable POSIXLY_CORRECT is set, then option processing stops as soon as a nonoption argument is encountered. If the first character of optstring is '-', then each nonoption argv-element is handled as if it were the argument of an option with character code 1. (This is used by programs that were written to expect options and other argv-elements in any order and that care about the ordering of the two.) The special argument "--" forces an end of option-scanning regardless of the scan‐ ning mode. So no, if the developers took care and thought about this beforehand and checked, it's not a problem. TL;DR: Best practice is to do prog --arg1 --arg2 [...] -- non-opt-args Check if prog understands that -- terminates the list of passed options. Kind regards Noel Am 09.12.19 um 14:23 schrieb Georgi Guninski: > Remote version of this affects wu-ftpd from 2003: > https://www.debian.org/security/2003/dsa-377 > > Summary: For trusted command PROGRAM, executing > PROGRAM *.EXT > may lead to arbitrary code execution, e.g. for > PROGRAM=EXT=tar > > The main idea is the wildcard to add program options. > > Open problem: > > Are popular programs other than tar vulnerable? > > Since shell wildcards are unlikely to change, should best practice > include not using *.EXT in shell? > > > Example exploit vector: starting program in untrusted > directories. > > Poc: > ==== > $rm -rf /tmp/1 ;mkdir /tmp/1 ; cd /tmp/1 ; tar cf a.tar /etc/issue > $ : > --to-command="yes .tar" > > #end creating, starts PoC > tar xf *.tar > > #.tar (repeats) > ==== > > -- Noel Kuntze IT security consultant GPG Key ID: 0x0739AD6C Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.