1 of 29

Argument Injection

Joern Schneeweisz

Security Researcher

2020-02-24

about.gitlab.com

1

2 of 29

Agenda

  • “Classic” OS Command Injection
    • Common countermeasures
  • Argument Injection
    • General concept
  • Argument Injection by example
    • CVE-2017-1000083
    • CVE-2017-1000117 walk through, identification and analysis
  • Conclusions

2

3 of 29

OS Command Injection

3

4 of 29

OS Command Injection

4

5 of 29

system(“echo <user input here>”)

A call to system(“command and arguments”) will end up like:

sh -c command and arguments

command and arguments are effectively a shell script being run. So sh will interpret any special characters.

A typical attack if we control for instance just a part of and arguments with our input would be to inject `another command` (note the backticks). The culprit here is the shell sh interpreting those backticks and executing the user supplied another command.

5

6 of 29

system(“echo <user input here>”)

Besides escaping any shell metacharacters a typical countermeasure would be to invoke any program without the using the shell at all.

Using the shell in ruby:

system('echo $HOME')

⇒ /home/joern

Same without using the shell:

system('echo','$HOME')

⇒ $HOME

By getting rid of the sh layer and calling echo directly we can’t inject to sh anymore

6

7 of 29

EXEC(3)

7

8 of 29

EXEC(3)

8

9 of 29

EXEC(3)

9

10 of 29

EXEC(3)

10

11 of 29

The basics of Argument Injection

Consider a file -a:

rm is a bit smarter about this:

11

12 of 29

The basics of Argument Injection

Let’s recap to define which type of Argument Injection we’re talking about:

We utilize a call to an exec(3) method where the to-be-called command is invoked directly without the detour via sh -c. Here the injection takes place into one (or more) of the command’s arguments. Meaning a user can control at least one of the arg1 argn inputs to the exec method.

Or the shell is involved but all arguments/user inputs are properly escaped prior to invocation.

Exploitation of such Argument Injection is not universal. It heavily depends on the invoked program.

Note: We’re NOT talking about how MITRE describes Argument Injection in CWE-88.

12

13 of 29

evince: Command injection vulnerability in CBT handler

From: Felix Wilhelm

=========================

The comic book backend in evince 3.24.0 is vulnerable to a command injection bug that can be used to execute arbitrary commands when a cbt file is opened:

cbt files are simple tar archives containing images. When a cbt file is processed, evince calls "tar -xOf $archive $filename" for every image file in the archive:

// backend/comics/comics-document.c: 914

command_line = g_strdup_printf ("%s %s %s",

comics_document->extract_command,

quoted_archive,

quoted_filename);

13

14 of 29

evince: Command injection vulnerability in CBT handler

From: Felix Wilhelm

=========================

The comic book backend in evince 3.24.0 is vulnerable to a command injection bug that can be used to execute arbitrary commands when a cbt file is opened:

cbt files are simple tar archives containing images. When a cbt file is processed, evince calls "tar -xOf $archive $filename" for every image file in the archive:

// backend/comics/comics-document.c: 914

command_line = g_strdup_printf ("%s %s %s",

comics_document->extract_command,

quoted_archive,

quoted_filename);

14

15 of 29

evince: Command injection vulnerability in CBT handler

While both the archive name and the filename are quoted to not be interpreted by the shell, the filename is completely attacker controlled an can start with "--" which leads to tar interpreting it as a command line flag.

This can be exploited by creating a tar archive with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg"

[..]

An easy way to fix this would be to change the ComicBookDecompressCommand entry for tar to

{"%s -xOf --" , "%s -tf -- %s" , NULL , FALSE, NO_OFFSET}

15

16 of 29

evince: Command injection vulnerability in CBT handler

While both the archive name and the filename are quoted to not be interpreted by the shell, the filename is completely attacker controlled an can start with "--" which leads to tar interpreting it as a command line flag.

This can be exploited by creating a tar archive with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg"

[..]

An easy way to fix this would be to change the ComicBookDecompressCommand entry for tar to

{"%s -xOf --" , "%s -tf -- %s" , NULL , FALSE, NO_OFFSET}

16

17 of 29

evince: Command injection vulnerability in CBT handler

While both the archive name and the filename are quoted to not be interpreted by the shell, the filename is completely attacker controlled an can start with "--" which leads to tar interpreting it as a command line flag.

This can be exploited by creating a tar archive with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg"

[..]

An easy way to fix this would be to change the ComicBookDecompressCommand entry for tar to

{"%s -xOf --" , "%s -tf -- %s" , NULL , FALSE, NO_OFFSET}

17

18 of 29

evince: Command injection vulnerability in CBT handler

While both the archive name and the filename are quoted to not be interpreted by the shell, the filename is completely attacker controlled an can start with "--" which leads to tar interpreting it as a command line flag.

This can be exploited by creating a tar archive with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg"

[..]

An easy way to fix this would be to change the ComicBookDecompressCommand entry for tar to

{"%s -xOf --" , "%s -tf -- %s" , NULL , FALSE, NO_OFFSET}

18

19 of 29

evince: Command injection vulnerability in CBT handler

While both the archive name and the filename are quoted to not be interpreted by the shell, the filename is completely attacker controlled an can start with "--" which leads to tar interpreting it as a command line flag.

This can be exploited by creating a tar archive with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg"

[..]

An easy way to fix this would be to change the ComicBookDecompressCommand entry for tar to

{"%s -xOf --" , "%s -tf -- %s" , NULL , FALSE, NO_OFFSET}

19

20 of 29

GETOPT(3)

In the tar example (as well as in most others) the -- argument can be used to end option scanning.

20

21 of 29

CVE-2017-1000117 - Git RCE

DEMO / WALK THROUGH

21

22 of 29

CVE-2017-1000117 - TL;DR

git clone ssh://-oProxyCommand=gnome-calculator/wat

git will invoke ssh to clone from the “host” -oProxyCommand=gnome-calculator

ssh will see the argument -oProxyCommand= being set to gnome-calculator

From the ssh_config manpage:

ProxyCommand

Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with the user's shell.[...]

22

23 of 29

CVE-2017-1000117 - TL;DR

git clone ssh://-oProxyCommand=gnome-calculator/wat

git will invoke ssh to clone from the “host” -oProxyCommand=gnome-calculator

ssh will see the argument -oProxyCommand= being set to gnome-calculator

From the ssh_config manpage:

ProxyCommand

Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with the user's shell.[...]

23

24 of 29

CVE-2017-1000117 - TL;DR

git clone ssh://-oProxyCommand=gnome-calculator/wat

git will invoke ssh to clone from the “host” -oProxyCommand=gnome-calculator

ssh will see the argument -oProxyCommand= being set to gnome-calculator

From the ssh_config manpage:

ProxyCommand

Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with the user's shell.[...]

24

25 of 29

CVE-2017-1000117 - TL;DR

git clone ssh://-oProxyCommand=gnome-calculator/wat

git will invoke ssh to clone from the “host” -oProxyCommand=gnome-calculator

ssh will see the argument -oProxyCommand= being set to gnome-calculator

From the ssh_config manpage:

ProxyCommand

Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with the user's shell.[...]

25

26 of 29

CVE-2017-1000117 - TL;DR

git clone ssh://-oProxyCommand=gnome-calculator/wat

git will invoke ssh to clone from the “host” -oProxyCommand=gnome-calculator

ssh will see the argument -oProxyCommand= being set to gnome-calculator

From the ssh_config manpage:

ProxyCommand

Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with the user's shell.[...]

26

27 of 29

Exploitation / Your mileage might vary

It’s hard to generalize Argument Injection, the actual exploitation path depends on the invoked program. The two examples of target programs, tar and ssh both do allow for arbitrary command execution. This however might not always be the case.

Sometimes we can just e.g. read/delete files we’re not supposed to. Or we maybe can create/overwrite files with only partially controlled content (e.g. log files).

That’s the fun part about Argument Injection, fiddling around and creating a high-impact scenario with the given vulnerability.

27

28 of 29

Recap / Summary

Defender Perspective

  • Try to avoid invoking subcommands at all
  • Avoid invoking subcommands :P
  • See if you can prefix user input which might contain options
  • Use `--` to stop processing options, put user input after it.

Attacker Perspective

  • Leaving out the shell might be insufficient
  • The impact and exploitation scenario is heavily depended on the used command, sometimes even on the position of the injection point.
    • RTFM - Read the fine manual!
  • Use e.g. strace to trace and debug for commands being invoked

28

29 of 29

Thanks for your time!

Any questions?

@joernchen�jschneeweisz@gitlab.com

29