LukasGelbmann
commented
5 years ago Thanks for the report. Duplicate of #3
Open Rudra92 opened 5 years ago
LukasGelbmann
commented
5 years ago Thanks for the report. Duplicate of #3
I assumed mkdir should not be able to create directories with invalid characters that allow for command injections. This was not specified by the project description so it is my assumption. Mkdir does not sanitize the name of the directory and thus an attacker is able to write a command injection as the name of the directory. Later on functions may use the absolute path without checking for invalid characters and they will perform the injected command. We can see in their function mkdir in systemcmd.cpp :
Then function void grep(conn& conn, std::string pattern) in file commands.cpp (line 523) is able to trigger the command injection. First it will create a vector containing all files’ strings using fetch_all_files_from_dir() in file filefetching.cp. This function will itself call command_with_output() from systemcmd.cpp which contains the following line (48) :
We can see that the corrupted directory name is appended without sanitization and thus will potentially cause a command injection. This allows an attacker to do the following suite of commands to spawn a calculator: login KevinMitnick pass FreeKevin mkdir ;xcalc cd ;xcalc grep "rekt"