si-co
commented
5 years ago Vulnerability verified and accepted. Even if the same function _check_cmd is used to execute both the ls and the ping command, we do not consider the bug as duplicate because the fix will be different.
Vulnerability report Abstract: The user-supplied argument to the ping command is not properly escaped which allows an attacker to run arbitrary commands on the server.
Details of the vulnerability: Here are lines 110 and 111 of the helper function for the ping command in commands.cpp:
https://github.com/si-co/grass/blob/6f7ed9be3d3715333dd5b564ca3799357c868798/lib/commands.cpp#L110-L111
Where cmd->cmd is equal to "ping" and cmd->arg1 is equal to the first user-supplied argument. Therefore, on line 111 the helper function _check_cmd is called with the string "ping some-user-supplied-argument -c 1"
After further investigation on the function _check_cmd it turns out no sanitization is done to the received command string and the command string is directly executed on the server machine by system call.
Recall that linux support executing multiple command in one line by seperating by them by "&&", for example: $command-one && command-two && command-three
In that case, if some-user-supplied-argument = "epfl.ch -c 1 && xcalc &&" then the command executed on the server becomes "ping epfl.ch -c 1 && xcalc &&-c 1" which runs a single ping , then a calculator, then an unknown command -c 1. The only problem is that the argument supplied by the user should not contain any blank space because they are used as delimiters to separate multiple arguments. We can replace blank space by "${IFS%?}" which is also interpreted as a blank space.
Exploit: The exploit does not require any particular setup. Just run one server and one client. On the client, run the following command (just copy-pase it):
ping epfl.ch${IFS%?}-c${IFS%?}1${IFS%?}&&${IFS%?}xcalc${IFS%?}&&