old school hacking : exploiting unix wildcards

O L D S C H O O L HACKINGExploiting UNIX Wildcards

Emir Fares BELMAHDI

belmahdi@emirfares.com@emirfares

www.emirfares.com

FOUR PARTS

About Wildcards Exploiting Wildcards Some useful tricks

Conclusion

ABOUT WILDCARDS

• A character used to substitute for any other character or characters

• Used in regular expressions

• Commonly used in shell commands in Linux and other Unix-like operatingsystems

• In this case wildcards are interpreted by shell before any action

* matches any number of characters in a

filename, including none

? matches any single character.

[ ] Brackets enclose a set of characters,

any one of which may match a single

character

- A hyphen used within [ ] denotes a

range of characters.

~ A tilde at the beginning of a word

expands to the name of your home

directory. If you append another user's

login name to the character, it refers to

that user's home directory.

cat e*

cat te?t.php

cat file[123456789].txt

cat file[1-9].txt

ls ~

ls ~blackfox

EXPLOITING WILDCARDS

Files beginning with (-) character are interpreted as command linearguements

Folder containing some files

File1File2

--help

cat * User executs command

File1File2

--help

cat *

File1File2

--help

cat File1.txt

File content

OK !

cat *

File1File2

--help

cat File2.php

File content

OK !

cat *

File1File2

--help

cat --help

“cat” command help &usage

MAGIC !

USING STRACE

blackfox@dojo:~/wildcards$ strace cat *

blackfox@dojo:~/wildcards$ strace cat *

execve("/bin/cat", ["cat", "File1.txt", "File2.txt", "--help"],[/* 69 vars */]) = 0

blackfox@dojo:~/wildcards$ strace cat *

execve("/bin/cat", ["cat", "File1.txt", "File2.txt", "--help"],[/* 69 vars */]) = 0

1st file 2nd file 3rd file

blackfox@dojo:~/wildcards$ strace cat *

execve("/bin/cat", ["cat", "File1.txt", "File2.txt", "--help"],[/* 69 vars */]) = 0

/bin/cat File1.txt File2.txt --help

1st file 2nd file 3rd file

DEMO

USEFUL TRICKS

CHOWN

blackfox@dojo:~/wildcards$ echo > ''.some_hidden_file''

blackfox@dojo:~/wildcards$ chown user:user .some_hidden_file

blackfox@dojo:~/wildcards$ echo > ''--reference=.some_hidden_file''

CHMOD

blackfox@dojo:~/wildcards$ echo > ''.some_hidden_file''

blackfox@dojo:~/wildcards$ chmod 777 .some_hidden_file

blackfox@dojo:~/wildcards$ echo > ''--reference=.some_hidden_file''

REAL LIFE SCENARIOGETTING ROOT ACCESS

From tar help manual (see: tar --help)

--checkpoint[=NUMBER] : display progress messages every NUMBERth record (default 10)

--checkpoint-action=ACTION : execute ACTION on each checkpoint

executing arbitrary commands with privileges of the user thatruns “tar”

Let's imagine a backup script

DEMO

CONCLUSION

NEVER TRUST INPUTS

Filter file names

AVOID USING WILDCARDS AS A PRIVILEGED USER

(ROOT)

Create a simple user instead

OR

DON'T USE WILDCARDSAT ALL!

Create your own scripts with samefeatures

ALWAYS TEST YOUR SECURITY

Pentesting is important to detect vulnerabilities or misconfigurations

QUESTIONS?

Emir Fares BELMAHDI

belmahdi@emirfares.com @emirfares

www.emirfares.com