Command Injection : Grep

[Rudra92]

I assumed mkdir should not be able to create directories with invalid characters that
allow for command injections. This was not specified by the project description so it
is my assumption.
Mkdir does not sanitize the name of the directory and thus an attacker is able to write a command injection as the name of the directory. Later on functions may use the absolute path without checking for invalid characters and they will perform the injected command.
We can see in their function ​ mkdir ​ in systemcmd.cpp :

std::string command = cmd + ​ " "​ + dirname;
system​ (command.​ c_str​ ());

Then function ​ void grep(conn& conn, std::string pattern)​ in file
commands.cpp (line 523) is able to trigger the command injection.
First it will create a vector containing all files’ strings using
fetch_all_files_from_dir()​ in file filefetching.cp. This function will
itself call ​ command_with_output()​ from systemcmd.cpp which contains the
following line (48) :

if (0 == (fpipe = (FILE*)popen((cmd + " " + dirname).c_str(),"r")))

We can see that the corrupted directory name is appended without
sanitization and thus will potentially cause a command injection.
This allows an attacker to do the following suite of commands to spawn a calculator:
login KevinMitnick
pass FreeKevin
mkdir ;xcalc
cd ;xcalc
grep "rekt"

[LukasGelbmann]

Thanks for the report. Duplicate of #3