I assumed mkdir should not be able to create directories with invalid characters that
allow for command injections. This was not specified by the project description so it
is my assumption.
Mkdir does not sanitize the name of the directory and thus an attacker is able to write a command injection as the name of the directory. Later on functions may use the absolute path without checking for invalid characters and they will perform the injected command.
We can see in their function mkdir in systemcmd.cpp :
Then function void grep(conn& conn, std::string pattern) in file
commands.cpp (line 523) is able to trigger the command injection.
First it will create a vector containing all files’ strings using
fetch_all_files_from_dir() in file filefetching.cp. This function will
itself call command_with_output() from systemcmd.cpp which contains the
following line (48) :
We can see that the corrupted directory name is appended without
sanitization and thus will potentially cause a command injection.
This allows an attacker to do the following suite of commands to spawn a calculator:
login KevinMitnick
pass FreeKevin
mkdir ;xcalc
cd ;xcalc
grep "rekt"
I assumed mkdir should not be able to create directories with invalid characters that allow for command injections. This was not specified by the project description so it is my assumption. Mkdir does not sanitize the name of the directory and thus an attacker is able to write a command injection as the name of the directory. Later on functions may use the absolute path without checking for invalid characters and they will perform the injected command. We can see in their function mkdir in systemcmd.cpp :
Then function void grep(conn& conn, std::string pattern) in file commands.cpp (line 523) is able to trigger the command injection. First it will create a vector containing all files’ strings using fetch_all_files_from_dir() in file filefetching.cp. This function will itself call command_with_output() from systemcmd.cpp which contains the following line (48) :
We can see that the corrupted directory name is appended without sanitization and thus will potentially cause a command injection. This allows an attacker to do the following suite of commands to spawn a calculator: login KevinMitnick pass FreeKevin mkdir ;xcalc cd ;xcalc grep "rekt"