Bash wildcard expansion globbing abuseIf you enjoy my work, please donate! I work hard keeping oxasploits running!
Bitcoin Donation Address:
You can also sponsor me on GitHub!
Thank you so much and happy hacking!
A lot of my research into bugs goes unfounded, and very seldom do I find a bug by actually looking for it, so much as it was just a typo or something. So when I realized that the wildcard character was actually a bash thing, and not the way that another called program parses arguments, it was because I accidentally typed * in a directory with a file I had accidentally generated somehow with xargs doing something unrelated. The file happened to have a dash in front of it, and that’s where things got more interesting.
Also note that setting
if you’re paranoid should negate all this. Thanks Kerin Millar for this.
This is going to be a little different because I don’t have a use case where this can be abused yet to actually get local privilege escalation or anything yet, but it’s most obviously a bug, and I think it probable that in the wrong context could definitely break scripts that use wildcards, and even calling binaries that use silly things like bash -c. So my example is going to be a bit hypothetical, and this may be updated in the future when I find something it works on.
The basic gist of how it looks in the terminal is:
You can even type just * on the command line and the first file the globbing routine spits out is going to be your command. It becomes obvious now that bash globbing will let you add arguments to a command if you only can drop a file. So dropping a file called
is going to make the called application show its version info. What if the scenario went more like a cron job running as root:
Where part of
’s code is something like:
Then dropping a file called
--levelup in it’s working directory would copy a suid 0 copy of
/tmp/lvl99, subsequently owning the system.
So as with our simplistic example, attacks like this are possible, though you may need to get creative with more than one file, etc. Once you can drop a file, you can let the “*” character’s expansion do the rest. I intend to update this if I find a real-world example of where this attack leverages local priv escalation.
It has been suggested that fixing this would break POSIX compatability, so stuff like this won’t be fixed in the future.
Thanks for reading, and happy haxxoring.