alpine 3.7
shell weakness #2

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

abuild/src/abuild-3.1.0/abuild-rmtemp.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 shell weakness.

 #include <ftw.h>
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

#define PREFIX "/var/tmp/abuild."

static void fail() {
	errx(1, "%s", strerror(errno));
}

static int handler(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) {
	return remove(fpath);
}

int main(int argc, char **argv) {
	if (argc < 2) return 0;

	if (getuid()) {
		argv[0] = "-abuild-rmtemp";
		execv("/usr/bin/abuild-sudo", argv);
	}

	if (strncmp(argv[1], PREFIX, strlen(PREFIX)) || \
		strchr(argv[1] + strlen(PREFIX), '/'))
		errx(1, "Invalid path: %s", argv[1]);

	struct stat s;
	if (lstat(argv[1], &s)) fail();
	struct passwd *p = getpwnam(getenv("USER"));
	if (!p) errx(1, "Incorrect user");
	if (s.st_uid != p->pw_uid) errx(1, "Permission denied");

	if (nftw(argv[1], handler, 512, FTW_DEPTH)) fail();

	return 0;
} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.