Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Command injection in grep #3

Open
delpeter opened this issue May 13, 2019 · 0 comments
Open

Command injection in grep #3

delpeter opened this issue May 13, 2019 · 0 comments
Labels
bug Something isn't working

Comments

@delpeter
Copy link

Vulnerability location

The vulnerability is in systemcmd.cpp at line 48:

if (0 == (fpipe = (FILE*)popen((cmd + " " + dirname).c_str(), "r")))

When a grep command is executed, the grep function in command.cpp (line 535) calls FileFetching::fetch_all_files_from_dir which itself calls SystemCommands::command_with_output on all subdirectories. The latter function is called iteratvely in order to fetch all files in the (sub)directory by executing “ls “ + directory_name. If a directory named a;xcalc was created before executing grep, SystemCommands::command_with_output will be called with the command ls and the directory name a;xcalc. Then, the call to popen in file systemcmd.cpp (line 48) will execute the command ls a;xcalc, which will open a calculator.

Exploit commands

login Acidburn 
pass CrashOverride
mkdir a;xcalc
grep a
@LukasGelbmann LukasGelbmann added the bug Something isn't working label May 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants