Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Bash Command Injection Vulnerability #81
I've found a bug that allows me to inject any bash command I want into the system running the script. My tests used the BIRD router, I don't know if this is possible on other systems. If the user configuring the router used a user with no permissions, this may not be an issue, but if they didn't, you could wreak havoc on systems:
To reproduce it:
You can then modify the command to do things like list the directory of / (replace the "echo" part with any bash command, and it will be executed, but the =] will be printed after, so this is technically limited to commands that can have that extra bit thrown out, but I was able to find a few including rm that this could cause major issues with)
Just to add some details here as I was the person who originally found this, but I'm perfectly fine with Electro submitting this report, you can fix any issues with the ending
You could also theoretically replace
I haven't tested it in a restricted shell yet, however I would assume the vulnerability in and of itself would still exist, however the capability of it would be somewhat limited (no
Now you could theoretically limit the capability of the vulnerability even further by using a chroot jail in combination with a restricted shell however that doesn't address the vulnerability at hand, and would require the system administrators to implement these features on their installations, instead of simply updating the Looking Glass software.
In addition, nothing is stopping me from possibly escaping the restricted shell by creating a new instance of
I could then make this script file add a new user to the system (assuming the script is running as root or some other user with higher privileges on the system) and allow me to SSH into it, or do other things.
Once again though, I haven't personally tested this in a restricted shell, these are all assumptions I am making, and I welcome any corrections if I am wrong.