What else should you know about argument injection at OS commanding vulnerabilities

2019-04-21T01:11:45
ID D0ZNPP:6D10F4C2D9B7BEF8708149B52538670F
Type d0znpp
Reporter Ivan Novikov
Modified 2019-04-21T01:11:45

Description

The first research related to this technique, as I believe dated by March 2013. It described the way how to deal with the escapeshellarg() and other scaping functions used to sanitize data at shell calls like system(), passthru(), exec() and others. This technique became very popular later, especially after a lot of sendmail exploits used it.

In my last (and the first, BTW) Twitch stream I tried to find a similar issue at Symfony (as the part of Laravel) but found only DoS way to exploit it for 30 minutes of research. During that video stream, I said that it’s possible to inject only one command flag inside an attribute, but I was wrong.

In fact, we can’t inject more than 1 argument to shell command while exploiting smth like this:

<?php  
$data = escapeshellarg($_GET['d']);  
system("file -bs --mime $data");

But this is one argument only for the shell, not for “file” or other program called in this way. Just because almost all the utilities and programs from “dd” to “bash” itself will parse ARGV by themselves to find flags there. This parsing is different and completely related to a particular program, so, we can expect more bug there, including OS commanding again.

I.e. when you call “ls” as “ls -la” in fact, you pass “-la” as ARGV[1] for “ls” and then “ls” itself will find “-l” and “-a” there separately. This feature allows exploiting argument injections to inject more than only 1 flag as I mentioned during the stream.

For example, the following command (where the second argument was ):

$ file -b '-zftest'

will be interpreted by “file” utility exactly the same as this one:

$ file -b -z -f test

We can understand this by the following outputs, which are different:

$ file -b '-zftest'  
POSIX tar archive (GNU) (bzip2 compressed data, block size = 900k)


$ file -b '-ftest'  
bzip2 compressed data, block size = 900k

Using this knowledge it’s possible to exploit more issues, which is as I think you should love. Enjoy!