centos 7
shell weakness #10

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

dyninst-9.3.1/testsuite-9.3.0/src/testdriver_wrapper.C

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 shell weakness.

 FILE *debug_log = stderr;
FILE *getDebugLog()
{
   return debug_log;
}

#if !defined(os_freebsd_test)
#include <link.h>
void copy_iolibs()
{
  char cmd_line[4096], *last_slash;
  struct link_map *lm;
  for (lm = _r_debug.r_map; lm != NULL; lm = lm->l_next) {
    if (!lm->l_name || !lm->l_name[0]) 
      continue;
    snprintf(cmd_line, 4096, "mkdir -p io_libs%s", lm->l_name);
    last_slash = strrchr(cmd_line, '/');
    if (last_slash) *last_slash = '\0';
    fprintf(debug_log, "%s\n", cmd_line);
    system(cmd_line);
    snprintf(cmd_line, 4096, "cp -u %s io_libs%s", lm->l_name, lm->l_name);
    last_slash = strrchr(cmd_line, '/');
    if (last_slash) *last_slash = '\0';
    fprintf(debug_log, "%s\n", cmd_line);
    system(cmd_line);
  }
}
#else
void copy_iolibs()
{
}
#endif

int main(int argc, char *argv[])
{
   struct rlimit infin;
   int result;

// static volatile int loop = 0;
// while (loop == 0);
   
   infin.rlim_cur = RLIM_INFINITY;
   infin.rlim_max = RLIM_INFINITY;
   result = setrlimit(RLIMIT_CORE, &infin);

   gargc = argc;
   gargv = argv;

   setcwd();
   debug_log = fopen("./wrapper_output", "w"); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.