- Userinput is fully trusted!
- Functions are used, that are known to be vulnerable!
As in the previous level, the c-function system(const char *command); is used, which is not save. If userinput is passed directly to the function, the user can execute arbitrary code.
You just put the command to execute inside the
USER variable. To be more elegant and not triggering some IDS which looks for crashing programs, one might:
- First terminate the
- afterwards execute
- return to the origin
export USER='; getflag ; /bin/echo' /home/flag02/flag02
Passing the variable
USER directly to the process.
USER='; getflag ; /bin/echo' /home/flag02/flag02
Lesson / How to fix
- Do not trust input that the user controlls!
How can one handle userinput? The safe use of userinput depends havily on the features of the language one is using!
- Do not use functions, that are known to be vulnerable!
In some languages it might be sufficient, to surround the input by single quotes. However not in this case. If you change line 22 like:
1 2 3
... asprintf(&buffer, "/bin/echo '%s' is cool", getenv("USER")); ...
one might still execute arbitrary code using the following environment-variable USER:
USER="' ; ls ; echo '"
This small example should show, that there is no magic formula for sanitizing userinput or protecting the code from userinput!