alpine 3.7
shell weakness #3

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

dvd+rw-tools/src/dvd+rw-tools-7.1/growisofs_mmc.cpp

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 shell weakness.

 
#if defined(RELOAD_NEVER_NEEDED)
#undef RELOAD_NEVER_NEEDED
#define RELOAD_NEVER_NEEDED 1
#else
#define RELOAD_NEVER_NEEDED 0
#endif
	if (RELOAD_NEVER_NEEDED || no_reload>0)
	{   cmd[0] = 0x1E;	// ALLOW MEDIA REMOVAL
	    cmd[5] = 0;
	    cmd.transport ();

	    return (errno=0);
	}
#if !RELOAD_NEVER_NEEDED

	char fdstr[12],cap2kstr[12];
	int n;
	
	if ((n=fcntl (ioctl_fd,F_GETFD))<0) n=0;
	fcntl (ioctl_fd,F_SETFD,n&~FD_CLOEXEC);

	sprintf (fdstr,"%ld",ioctl_fd);
	sprintf (cap2kstr,"%u",cap2kstart);
	execlp(_argv[0],no_reload<0?"-eject":"-reload",
			fdstr,ioctl_device,cap2kstr,(void *)NULL);
    }
    else
    {
	{ Scsi_Command  cmd;
	  unsigned char c[8];
	  unsigned int  cap2kend;

	    if (!cmd.associate (name,sb)) return 1;

	    cmd[0] = 0x25;	// READ CAPACITY
	    cmd[9] = 0;
	    if (!cmd.transport (READ,c,sizeof(c)))
		cap2kend = c[0]<<24|c[1]<<16|c[2]<<8|c[3];
	    else
		cap2kend = (unsigned int)-1;

	    if (cmd.is_reload_needed(cap2k==cap2kend))
	    {	fprintf (stderr,"%s: reloading tray\n",name);
		cmd[0] = 0x1E;		// ALLOW MEDIA REMOVAL
		cmd[5] = 0;
		if (cmd.transport ()) return 1;

		while (1)	// Pioneer DVR-x05 needs this...
		{   cmd[0] = 0x1B;	// START/STOP UNIT 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.