Bash wildcard expansion globbing abuse
Background
A lot of my research into bugs goes unfounded, and very seldom do I find a bug by actually looking for it, so much as it was just a typo or something. So when I realized that the wildcard character was actually a bash thing, and not the way that another called program parses arguments, it was because I accidentally typed * in a directory with a file I had accidentally generated somehow with xargs doing something unrelated. The file happened to have a dash in front of it, and that’s where things got more interesting.
Edit:
Also note that setting
or 1
GLOBIGNORE=-*
if
you’re paranoid should negate all this. Thanks Kerin Millar for this.1
GLOBIGNORE=*
PoC
This is going to be a little different because I don’t have a use case where this can be abused yet to actually get local privilege escalation or anything yet, but it’s most obviously a bug, and I think it probable that in the wrong context could definitely break scripts that use wildcards, and even calling binaries that use silly things like bash -c. So my example is going to be a bit hypothetical, and this may be updated in the future when I find something it works on.
The basic gist of how it looks in the terminal is:
You can even type just * on the command line and the first file the globbing
routine spits out is going to be your command. It becomes obvious now that
bash globbing will let you add arguments to a command if you only can drop a file. So dropping a file called
is going to
make the called application show its version info. What if the scenario went
more like a cron job running as root:1
--version
Where part of
’s code is something like:1
supersecure
Then dropping a file called
in it’s working directory would copy
a suid 0 copy of 1
--levelup
to 1
/bin/bash
, subsequently owning the system.1
/tmp/lvl99
Conclusion
So as with our simplistic example, attacks like this are possible, though you may need to get creative with more than one file, etc. Once you can drop a file, you can let the “*” character’s expansion do the rest. I intend to update this if I find a real-world example of where this attack leverages local priv escalation.
Edit:
It has been suggested that fixing this would break POSIX compatability,
so stuff like this won’t be fixed in the future.
Thanks for reading, and happy haxxoring.
If you enjoy my work, sponsor or hire me! I work hard keeping oxasploits running!
Bitcoin Address:
bc1qq7vvwfe7760s3dm8uq28seck465h3tqp3fjq4l
Thank you so much and happy hacking!