Arbitrary Flag Execution on *nix platform

Referenced URL:

http://h.ackack.net/flag-execution-for-easy-local-privilege-escalation.html


Analysis

Some programs in *nix platform do not take into account of directory name with "-". This makes them think like a flag for them to process.  Programs that allow arbitrary execution from user's input are mainly vulnerable.

Let's say:  if "find" is vulnerable,

we could create :
python flagHandler.py mk "-exec echo pwn3d '{}' \;"

then when we do
find . -type f

it becomes
find . -type f -exec echo pwn3d '{}' \;

Impact

Attacker could trigger local privilege escalation or execute his arbitrary commands.


Comments

Popular posts from this blog

XSS: Gaining access to HttpOnly Cookie in 2012

Jumping out of Touch Screen Kiosks

HttpOnly Session ID in URL and Page Body | Cross Site Scripting