This code extracts a string from passwd.txt in the current directory and finally passes it to
realpath. before passing it to
realpath, the string is checked.
In the example that will be shown, it is assumed that
passwd.txtis a bit like
/etc/passwdand is intended for data where the first column is the user name and the sixth column is the directory.
$ echo 'user1:::::/home/user1:/bin/sh' > passwd.txt $ ./cdwdoc-2023-001_sample_dir3.sh user1 /home/user1
So what happens if the sixth column is something like "/home/user1/../../root"?
$ echo 'user2:::::/home/user1/../../root:/bin/sh' >> passwd.txt $ ./cdwdoc-2023-001_sample_dir3.sh user2 error: invalid dir
It is properly recognized as fraudulent. So what happens when we do this?
$ printf 'user3:::::/home/user1/' >> passwd.txt $ yes '../' | head -43685 | tr -d '\n' >> passwd.txt $ printf 'root:/bin/sh\n' >> passwd.txt $ ./cdwdoc-2023-001_sample_dir3.sh user3 ./cdwdoc-2023-001_sample_dir3.sh: 9: /bin/echo: Argument list too long /root
We got a "/root" output.
cdwdoc-2023-001_sample_dir.shas a stand-alone script from a terminal, the user trying it is themselves affected by the ARG_MAX limit.
In the case of
cdwdoc-2023-001_sample_dir3.sh, the attackers themselves may not be affected by the ARG_MAX limit.
cdwdoc-2023-001_sample_dir.shis here: https://gitlab.com/-/snippets/2487375