• examples of attacks:

    $ ls -l /home/user1
    total 0
    $ getconf ARG_MAX
    $ str="$(yes '../' | head -43684 | tr -d '\n')"
    $ echo ${#str}
    $ ./cdwdoc-2023-001_sample_dir.sh "user1" "${str}root" "aaaaaaaaaaaaaaaa"
    ./cdwdoc-2023-001_sample_dir.sh: 5: /bin/echo: Argument list too long
    $ echo $?
    $ ./cdwdoc-2023-001_sample_dir2.sh "user1" "${str}root" "aaaaaaaaaaaaaaaa"
    ./cdwdoc-2023-001_sample_dir2.sh: 5: /bin/echo: Argument list too long
    error: invalid dir
    $ echo $?
  • cdwdoc-2023-001_sample_dir2.sh is here: https://gitlab.com/-/snippets/2487377

  • In Linux, the behavior around ARG_MAX was drastically changed in kernel 2.6.23 (released in October 2007), and there seems to have been a slight change in kernel 2.6.25 (released in April 2008).

    If an attacker intentionally tries to make one argument huge, the macro constant MAX_ARG_STRLEN may be more important than the overall command line size in Linux since kernel 2.6.23.

    In the latest exec.c in Linux kernel, the length check by MAX_ARG_STRLEN is the following part (only when CONFIG_MMU=y):

Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment