lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <53A907D1.50300@gmail.com>
Date: Mon, 23 Jun 2014 23:08:33 -0600
From: Stephen Chavez <elysium.xen@...il.com>
To: Fulldisclosure@...lists.org
Subject: [FD] Exploiting Wildcard Expansion on Linux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I found a way to abuse "*" in bash. I can make an arbitrary code
execution attack.

This is a well-known problem, but it still surprises a lot of people.
It's been discussed on this list before:

    http://seclists.org/fulldisclosure/2011/Sep/190

Suppose we have control over the contents of a directory, and inside
that directory our victim will run the following command. Imagine, for
example, that the user just downloaded a web application's source code
from the attacker's website and is uploading the files to their web
server.

    $ scp * user@...mple.org:/var/www/

To exploit this command, in the directory we place these files.

- - "-o" - SCP will interpret this file as the "-o" switch.
- - "ProxyCommand sh supercool.sh %h %p" - SCP will interpret this file's
name as the argument to the "-o" switch.
- - "supercool.sh" - The script that will run, containing the attacker's
code.
- - "zzz.txt" - Another file in the directory which serves no purpose for
the exploit.

Inside "supercool.sh", we have a script that will do what "ProxyCommand"
is supposed to do, along with some malicious commands.
When the victim runs their scp command, it will appear successful:

    $ scp * user@...mple.org:/var/www/
    supercool.sh
    zzz.txt

But really, supercool.sh has executed, and we now have control of the
user's system.

You can read the full details about this attack and download the entire
proof of concept directory on my site here:

    https://dicesoft.net/projects/wildcard-code-execution-exploit.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJTqQfRAAoJEBsfdfEZ3/nFnusP/RslQNnbu1XyUWlNprk26E5l
M7G76iCqCTytcOUA9cYGa1eMwKw+Lv0uNxPkntNa63Ev6/HUTtHQtJ0iHXq3+d0A
b7rqgSsptznsmL9tfkogI12OrWw++XVVAzp94KPo3bUTpejKnEf3Um4NZ/dSr9ZA
uMatpa8CU37YQ69gkZ5kbYxYJaMGijg9ojG7cvDg5vnjW8x/kzHqxPRYxfIdgkOT
WiqmoZ+2s+C3FRQyNfYTI6aapUar4tINsIPvs96UBsTap4T19XdhJKEKPDMBy7LN
jjMv3r12AFyJHP5Y2sIn/7KPksl4F/dwsBaBa6agPvYp/5h1IyGEkHmrfCDG+4Hf
tj4XKVYJ17J/3SuKMXgSnTdMWv1NRkCxx667N4jIUUsZfmKsQOdbZIbr76mRVYa3
1PjAY/JoLzgH0/wGbXN9dXDjpCQd9yEQ3VUUs0/1JLcjaffzCD7ta9wi/GINgOdd
0Hq6fSCv8CNAFI80SZ7LLhUu10cRwCxe0B+chDpK+1s5MeI7rhFuxsoEQO9tBQ1f
CKDvagQ1wAJWnzlrXDgaemXAcJ3R22UMX3+ogoPVt2LPP6Puc1o7+n6NNF3VP/CP
BmeDPksOWd1E55C8Qu5Q02hfEEn9JL/r/mtQbNuT2Eh7jnrKJos4owep2tALOEbq
XmhYbkTqB/vTwZ21DNMu
=uwV1
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ