-
-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bash Command Injection Vulnerability #81
Comments
Just to add some details here as I was the person who originally found this, but I'm perfectly fine with Electro submitting this report, you can fix any issues with the ending Such as: You could also theoretically replace |
Did you manage to reproduce this even in a restricted shell (setup mentioned here)? |
I haven't tested it in a restricted shell yet, however I would assume the vulnerability in and of itself would still exist, however the capability of it would be somewhat limited (no Now you could theoretically limit the capability of the vulnerability even further by using a chroot jail in combination with a restricted shell however that doesn't address the vulnerability at hand, and would require the system administrators to implement these features on their installations, instead of simply updating the Looking Glass software. In addition, nothing is stopping me from possibly escaping the restricted shell by creating a new instance of I could then make this script file add a new user to the system (assuming the script is running as root or some other user with higher privileges on the system) and allow me to SSH into it, or do other things. Once again though, I haven't personally tested this in a restricted shell, these are all assumptions I am making, and I welcome any corrections if I am wrong. |
We definitely have to fix the issue by sanitizing the user input or forbidding him to use some harmful characters. That is what was done to fix issue #13. In addition to that fix I strongly suggest users to not use this script as root and with a standard shell. |
Hi,
I've found a bug that allows me to inject any bash command I want into the system running the script. My tests used the BIRD router, I don't know if this is possible on other systems. If the user configuring the router used a user with no permissions, this may not be an issue, but if they didn't, you could wreak havoc on systems:
To reproduce it:
Open your looking glass
Select "show route as-path-regex" as the command
Enter "test =]' && echo '"
You will see that the closing character of the command (=]) has been printed.
You can then modify the command to do things like list the directory of / (replace the "echo" part with any bash command, and it will be executed, but the =] will be printed after, so this is technically limited to commands that can have that extra bit thrown out, but I was able to find a few including rm that this could cause major issues with)
Heres an example of how I was able to use "curl" with this. It could be used to download a shell-backdoor and execute it
The text was updated successfully, but these errors were encountered: