 |
Post AtvIZt4YJGMB1jvEo4 by [email protected] |
 |
More posts by [email protected] |
|
Post #AttKgd1kAvtosn1yNs by [email protected] |
|
0 likes, 1 repeats |
|
|
|
It makes me super uncomfortable that globbing in Bash can turn into code execut… |
|
|
|
Post #AttKgdAFfIhlJB0le4 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@Lee_Holmes Oh weird. I had to look at that a few times to figure out what was … |
|
|
|
Post #AttLn2XGLg2VgfOWoK by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@Lee_Holmes oh what? How? Why? This does not spark joy... |
|
|
|
Post #AttMrRRbmQlY3LPe52 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@Lee_Holmes It's not just bash, this affects any shell that does globbing, … |
|
|
|
Post #AttPn4WxKZ8HgvWQKm by [email protected] |
|
0 likes, 0 repeats |
|
|
|
I'm sure there's something here, but I don't have the patience to f… |
|
|
|
Post #AttPn4cyy9x9zcLEjA by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@Lee_Holmes explore the unknown 🙂 but your example is expected 🙃 |
|
|
|
Post #AttYdGh49YIK6dePoG by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes Usually RCE with tar in some cronjob for backups like in this CTF t… |
|
|
|
Post #AttYg3bNHhXGN5JoSO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes Using ls with cut, head, tail, grep, and xargs is a really great wa… |
|
|
|
Post #AttYiHHdO5k5Np8zqa by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@[email protected] can this also lead to command injection/inclusion … |
|
|
|
Post #AttYo3O3xzbO1QuBZQ by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes If ls * expanded to ls ./-l instead (and likewise for any filename… |
|
|
|
Post #AttYo3VrUzqAPcYPj6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes ls ./* does indeed expand to ls ./-l in bash and zsh at least. |
|
|
|
Post #AttYscjSUps0nk5li4 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@Lee_Holmes @Lee_Holmes This is part of why to use -- to denote end of options … |
|
|
|
Post #AttZ1hPkSRd1veCTeS by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes welcome to why the absolute minimum response is to scream bloody fu… |
|
|
|
Post #AttZ6yXAEcrGTLBW6q by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes uh? |
|
|
|
Post #AttZ7JE5Il4eeFQ4mm by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@nyanbinary @Lee_Holmes Yep, that's why there exist '--' key, at le… |
|
|
|
Post #AttZC1xYvQxAXqwWDA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes How did I never know this was a thing???? |
|
|
|
Post #AttZEFG4S8A4Mveja4 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes I don't think of this as "code execution". Bash (and… |
|
|
|
Post #AttZIbR3wLNoJCsKCO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes eek! That's freaky and not in a good way. |
|
|
|
Post #AttZX8mqjlAXngzwkS by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes did you try 'exec find *' ?Anyway "find *" would … |
|
|
|
Post #AttZbpdhM3kvrZxFNw by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@jernej__s Yeah, I'm aware of that. For sure everybody else in the world is… |
|
|
|
Post #AttZm0WljA8sWoZ7gm by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@EpicKitty @Lee_Holmes Nope. Try it, and you'll see words resulting from gl… |
|
|
|
Post #AttbvknTGgSoXq9XwO by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@deFractal Haha, did I get this right? :) |
|
|
|
Post #AttcWYrcb7hyFXe5EO by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@Lee_Holmes ls -- * |
|
|
|
Post #AttclHjiYksHTPyAAS by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@Lee_Holmes I mirror this concern. That's why I give myself a small safety… |
|
|
|
Post #AtthX37qaKhTsLHr5k by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes yes there is - its as old as the hills |
|
|
|
Post #AtthX3FI8eegFQlnhA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@nf3xn Pray tell |
|
|
|
Post #AtthX3Lfkvl8ZDktdo by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes its CTF stuff: tar file checkpoint execution TartarSauce I think wa… |
|
|
|
Post #AtthX3S3NCrat0jzaS by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@nf3xn Oh, I thought you meant that getting code execution through 'find… |
|
|
|
Post #AtthX3fAaRM5XgsT20 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes the learning experience most boxes I think were trying to teach is … |
|
|
|
Post #AttiFN9dTmwcjfG5Oi by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes And that is exactly why most POSIX utilities offer a hidden -- &quo… |
|
|
|
Post #AttiNVn5Fny1pxahrE by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes Holy shit unix is so cooked it's literally joeverTime to move t… |
|
|
|
Post #AttiSsMgkbiTIWnpRo by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes shiiiiiit |
|
|
|
Post #AttieGLhv0QMrvm0w4 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@deFractal Yeah, this is why it's scary. "Don't use globbing witho… |
|
|
|
Post #AttifULfM3Y6ZoL3QG by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@jernej__s @Lee_Holmes, zsh's man pages explicitly use “-- *” wherever … |
|
|
|
Post #AttinFczy8DPEr9Bia by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes cripes |
|
|
|
Post #AttiqevkLraIa6Xdjc by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@EpicKitty @Lee_Holmes Nope. Try it, and you'll see words resulting from gl… |
|
|
|
Post #Attivdnbz7gCWM70SG by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes MS-DOS had the right idea, it seems: pass the entire command line a… |
|
|
|
Post #AttixL26jCfEtihZ7w by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@DopeGhoti, “\ls” (or “l\s”) should also work. |
|
|
|
Post #Attj1T6udccP6kv19s by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes Oh man. I had to see this one for myself. You're 100% right.T… |
|
|
|
Post #AttkduLluTTkY4lJLM by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@Lee_Holmes Yep. The Bourne shell is old (1979), and POSIX shells such as Bash … |
|
|
|
Post #Attm9IVYF3cOP5rsRM by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@Lee_Holmes that is kinda scary and fascinating at the same time |
|
|
|
Post #AttoAltydoInlW7j0a by [email protected] |
|
0 likes, 1 repeats |
|
|
|
If you want to see how deep the rabbit hole goes:[2010] - Filenames and Pathnam… |
|
|
|
Post #Attp8zjSLiZ22Bv31E by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@Lee_Holmes Who does ls * ?The problem is clearly between keyboard and chair, n… |
|
|
|
Post #AttpzCTmCWOGcwTjUG by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@adamshostack Here you go, IRREFUTABLE evidence that this is a critical issue t… |
|
|
|
Post #AttqFN9EIqv6LfZzDE by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@Lee_Holmes I feel left out of your regexps.... it's... touching. 😜 |
|
|
|
Post #AttqKkt9SmW3QWcrWS by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@deFractal @EpicKitty @Lee_Holmes They're not exactly quoted. There's j… |
|
|
|
Post #AttqQtfVjSzKOYAqem by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@lyda @EpicKitty @Lee_Holmes Indeed. I oversimplified. |
|
|
|
Post #AttqT034yx5IlICVRQ by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@argv_minus_one @Lee_Holmes Yes, so each program can have its own quirks in how… |
|
|
|
Post #Attukc5dCO7hU434ka by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@lyda I'll take quirks over security breaches any day of the week.@Lee_Holm… |
|
|
|
Post #AtuHCCKgkr2shQeMbo by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes Ive been upset with zsh because it won't do scp with a wildcard… |
|
|
|
Post #AtuHCCQMPlaAz1ItRw by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@LinuxAndYarn SCP is worse. It does full shell command substitution. |
|
|
|
Post #AtuHE82Ph3jFxV1Sme by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes What the fuck? 😳 |
|
|
|
Post #AtuHH7f7XxcBf7YUIi by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@brainwagon @Lee_Holmes “some possible misuse” = “one of the more common … |
|
|
|
Post #AtuHQz4QLVttuX5p4K by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes @coldclimate You could at least credit the woman who discovered thi… |
|
|
|
Post #AtuHTdjY8EF8bZaywK by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes @nf3xn The execution isn't coming from find, it's the shell… |
|
|
|
Post #AtuHliytMPau5mOYzI by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@cyberspice @coldclimate What other post are you talking about? |
|
|
|
Post #AtuHv8Al4KUipPQlvM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@nyanbinary @Lee_Holmes BRB. I have to seed a bunch of directories with files n… |
|
|
|
Post #AtuI8ClzH9YurR4wPQ by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes Yikes |
|
|
|
Post #AtuIIo5XOQZvUKHKb2 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes so it really is ssh by another name. Where did I leave that whiskey? |
|
|
|
Post #AtuTY1M9RbawTfVTP6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@argv_minus_one @Lee_Holmes To be clear, every quirk is its own unique security… |
|
|
|
Post #Atur58lxBpxDyqKxoO by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@adamshostack @Lee_Holmes Pining for the fjords, globbing for Adam. |
|
|
|
Post #AtvD8KwSbApfaFBGeu by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_HolmesPut a -- before the globbing. That will tell ls to stop interpretin… |
|
|
|
Post #AtvG1ULfWha8apOjUO by [email protected] |
|
0 likes, 1 repeats |
|
|
|
Ok, this is contrived af but it works :) |
|
|
|
Post #AtvHthdsPuEPPkKVfs by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes does -- fix it? |
|
|
|
Post #AtvHthlfwuTBnvyjpY by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@CarbonCarrot @Lee_Holmes Nope, find doesn’t support it (otherwise it would b… |
|
|
|
Post #AtvIZsx6kwOyeeRICe by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes wait but it does not run thru the command parser right? A file name… |
|
|
|
Post #AtvIZt4YJGMB1jvEo4 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@ity No thankfully. Globbing only provides the expanded strings to the paramete… |
|
|
|
Post #AtvIkmVr2SGjrst4Zk by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@swapgs @Lee_Holmes thx — just read the man page. Nothing new, apparently |
|
|
|
Post #AtvIkmbWhMo29TXbPs by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@CarbonCarrot @Lee_Holmes and find is not the only offender, there are so many … |
|
|
|
Post #AuA3i3AG5Tv6hbQN28 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@Lee_Holmes linux is a pretty dangerous place :neocat_laptop_owo: |
|
|
|
Post #AuA3i3IlZqj37zPAIK by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@Lee_Holmes i hope '--' can protect my scripts :blobcatsob: |
|
|
|
Post #AuLdQKd895xOkOL3tA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes Yeah, well, that's why you should not write scripts in shell...… |
|
|
|
Post #AuLdQKkZhPub7Tp0Ua by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Lee_Holmes Actually.. youtube-dl should probably be fixed not to allow nasty c… |
