centos 7
shell weakness #11

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

dyninst-9.3.1/testsuite-9.3.0/src/testdriver_wrapper.C

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 shell weakness.

    //args[j++] = "/g/g0/legendre/tools/valgrind/bin/valgrind";
   //args[j++] = "--tool=memcheck";
   for (i=0; i<arg_count; i++) {
      args[j++] = strdup(cur);
      while (*(cur++) != '\0');
   }
   
   args[j++] = const_cast<char *>("-socket_fd");
   char *socket_fd = (char *) malloc(16);
   snprintf(socket_fd, 16, "%d", connection->getFD());
   args[j++] = socket_fd;

   for (i=1; i<gargc; i++) {
      args[j++] = gargv[i];
   }

   args[j++] = NULL;
}

static void parse_go()
{
   int error;

   assert(args);
   execv(args[0], args);
   error = errno;
   if (debug_log)
     fprintf(debug_log, "Failed to execv %s: %s\n", args[0], strerror(error));
   assert(0);
}

static void runLdd(std::string filename, MessageBuffer &buf)
{
   char cmd_line[4092];
   snprintf(cmd_line, 4092, "ldd %s", filename.c_str());

   buf.add(cmd_line, strlen(cmd_line));
   buf.add("\n", 1);
   FILE *f = popen(cmd_line, "r");
   if (!f) {
      buf.add("ldd error\n", strlen("ldd error\n")+1);
      return;
   }
   while (!feof(f)) {
      char buffer[257];
      ssize_t num_read = fread(buffer, 1, 256, f);
      buf.add(buffer, num_read);
   }
   pclose(f);   
} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.