alpine 3.7
shell weakness #1

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

antiword/src/antiword-0.37/startup.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 shell weakness.

 
	if (argc > 1) {
		tArgLen = strlen(argv[1]);
	} else {
		tArgLen = 0;
	}
	if (tArgLen >= sizeof(tMsg.data.dataload.filename)) {
		werr(1, "Input filename too long");
		return EXIT_FAILURE;
	}

	tTaskHandle = tGetTaskHandle("antiword");

	if (tTaskHandle == 0) {
		/* Antiword is not active */
		strcpy(szCommand, "chain:<Antiword$ Dir>.!Antiword");
		if (argc > 1) {
			strcat(szCommand, " ");
			strcat(szCommand, argv[1]);
		}
#if defined(DEBUG)
		strcat(szCommand, " ");
		strcat(szCommand, "2><Antiword$ Dir>.Debug");
#endif /* DEBUG */
		system(szCommand);
		/* If we reach here something has gone wrong */
		return EXIT_FAILURE;
	}

	/* Antiword is active */
	if (argc > 1) {
		/*
		 * Send the argument to Antiword by imitating a
		 * drag-and-drop to Antiword's iconbar icon
		 */
		memset(&tMsg, 0, sizeof(tMsg));
		tMsg.header.size = ROUND4(offsetof(message_block, data) +
					offsetof(message_dataload, filename) +
					1 + tArgLen);
		tMsg.header.yourref = 0;
		tMsg.header.action = message_DATALOAD;
		tMsg.data.dataload.window = window_ICONBAR;
		tMsg.data.dataload.icon = -1;
		tMsg.data.dataload.size = 0;
		tMsg.data.dataload.filetype = FILETYPE_MSWORD;
		strcpy(tMsg.data.dataload.filename, argv[1]);
		Error_CheckFatal(Wimp_SendMessage(event_SEND,
						&tMsg, tTaskHandle, 0));
		return EXIT_SUCCESS;
	} else { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.