|
| From: | Rakesh Mane |
| Subject: | Security Vulnerability |
| Date: | Sun, 7 Feb 2016 16:01:49 +0530 |
Hey,
While playing with Terminal I noticed a weird behavior which can turn into a security vulnerability.
I'm not sure if it's actually a bug or a feature but I thought to report it anyway.
Details :
Whenever we enter "*" as command, shell looks for the files in current directory and executes the filename as a shell command.
For example :
$ echo $BASH_VERSION
4.3.42(1)-release
$ touch id
$ ls
id
$ *
uid=10191(u0_a191) gid=10191(u0_a191) groups=1015(sdcard_rw),1028(sdcard_r),3003(inet),9997(everybody),50191(all_a191) context=u:r:untrusted_app:s0
In above example I created a file named "id" in an empty directory and then entered "*" as command. After that the "id" command got executed.
In real life, if an attacker founds a command injection vulnerability in some system then he can use this flaw to bypass filters or waf's by simply uploading a file having a command as filename (example: reboot) and then by sending "*" as command.
Thanks
| [Prev in Thread] | Current Thread | [Next in Thread] |