Posts

Showing posts from June, 2011

Arbitrary Flag Execution on *nix platform

Referenced URL: http://h.ackack.net/flag-execution-for-easy-local-privilege-escalation.html Analysis Some programs in *nix platform do not take into account of directory name with "-". This makes them think like a flag for them to process.  Programs that allow arbitrary execution from user's input are mainly vulnerable. Let's say:  if "find" is vulnerable, we could create : python flagHandler.py mk "-exec echo pwn3d '{}' \;" then when we do find . -type f it becomes find . -type f -exec echo pwn3d '{}' \; Impact Attacker could trigger local privilege escalation or execute his arbitrary commands.