A command is "parsed" in the check_and_parse_command function according to the space separator and, after that, a switch statement is used to construct the correct command. However, special characters (like ;, & or |) are permitted and not filtered. Moreover, the hostname parameter is directly put into a string through sprintf with "ping" issued bu the client, the " -c 1" addition and the std_err redirection. The result string is then passed as a command to a shell with popen into the run_command function.
Exploitation of the vulnerability
To exploit this vulnerability, it is sufficient to create a parameter of the ping command with no spaces. Since it is possible to use the internal field separator variable in a shell to "emulate" a space, we can construct an exploit just by calling ping on a random host and then construct a pipeline and attach another command that execute a remote code (opens a calculator). It is not possible to use another operator (like ; or &) instead of the pipeline (|) because in the other cases the program just crashes and the server doesn't respond anymore because of the way popen is used.
After running the server and connecting one client, we can just type on the client the following command and open a calculator like this:
ping google.com|sh${IFS%?}-c${IFS%?}xcalc
which basically corresponds to execute: ping google.com|sh -c xcalc
dorlafo
commented
5 years ago
Where the vulnerability is
A command is "parsed" in the check_and_parse_command function according to the space separator and, after that, a switch statement is used to construct the correct command. However, special characters (like ;, & or |) are permitted and not filtered. Moreover, the hostname parameter is directly put into a string through sprintf with "ping" issued bu the client, the " -c 1" addition and the std_err redirection. The result string is then passed as a command to a shell with popen into the run_command function.
Exploitation of the vulnerability
To exploit this vulnerability, it is sufficient to create a parameter of the ping command with no spaces. Since it is possible to use the internal field separator variable in a shell to "emulate" a space, we can construct an exploit just by calling ping on a random host and then construct a pipeline and attach another command that execute a remote code (opens a calculator). It is not possible to use another operator (like ; or &) instead of the pipeline (|) because in the other cases the program just crashes and the server doesn't respond anymore because of the way popen is used. After running the server and connecting one client, we can just type on the client the following command and open a calculator like this:
ping google.com|sh${IFS%?}-c${IFS%?}xcalcwhich basically corresponds to execute: ping google.com|sh -c xcalc