4

I'm wondering if the following code is vulnerable to command injection in bash: 

sumo /bin/netflash -Uk $CONTROLED_OPTION 2>&1

I'm thinking since it's not included in " " it should be vulnerable but I'm not sure since I can't make the command injection work, I tried $() `` | && ||  but nothing is working.

or do I need the command to be inside a eval to be vulnerable?

Improve this question
2
  • I guess it also depends on what parameters netflash accepts, and what you can do with those parameters Commented Mar 14, 2020 at 17:01
  • Yes I know but i would like to know if it's possible to run another command and not just abuse the dangerous options if there is , like can we "break out" of this command line ? or are we limited to the options of the current command ? Thank you Commented Mar 15, 2020 at 14:50

1 Answer 1

Reset to default
1

You added in a comment, that you care about breaking out of the command and not attacking netflash directly by supplying a specific malicious parameter.

The answer to this is no, you cannot break out of this construct. Bash understands that you are supplying a parameter and doesn't allow you to manipulate the statement itself. Bash would have to do an implicit string concatination at this point, which it does not do.

As you mentioned, if eval was used, exactly this kind of concatination would take place and it would be vulnerable. Without eval, it is safe.

There might of course be a vulnerability in netflash itself, that can be triggered by the supplied parameter, but I understood that this is out of scope of the question (and would require a deep dive into netflash).

Improve this answer
3
  • Thank you for the answer, it's very clear ! I had no idea that bash was aware of that ! Thank you, only eval is vulnerable then ? There is no other like exec or something? Thanks ! Commented Mar 16, 2020 at 11:48
  • That's a broad question in regards to bash. Every mechanism that uses actual string concatination and executing the result (like eval does) will be vulnerable. You have to evaluate this on a case by case basis. Commented Mar 16, 2020 at 12:39
  • do you have another example of concatenation that leads to command injection to understand better please ? Commented Mar 17, 2020 at 9:15

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.