centos 7
shell weakness #15

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

dyninst-9.3.1/dyninst-9.3.1/dataflowAPI/rose/semantics/SMTSolver.C

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 shell weakness.

             //int status __attribute__((unused)) = stat(tmpfile.name, &sb);
            //ASSERT_require(status >= 0);
            stats.input_size += sb.st_size;
            {
                boost::lock_guard <boost::mutex> lock(class_stats_mutex);
                class_stats.input_size += sb.st_size;
            }

            /* Show solver input */
            if (debug) {
                fprintf(debug, "SMT Solver input in %s:\n", tmpfile.name);
                size_t n = 0;
                std::ifstream f(tmpfile.name);
                while (!f.eof()) {
                    std::string line;
                    std::getline(f, line);
                    fprintf(debug, "    %5zu: %s\n", ++n, line.c_str());
                }
            }

            /* Run the solver and read its output. The first line should be the word "sat" or "unsat" */
            {
                Sawyer::Stopwatch stopwatch;
                std::string cmd = get_command(tmpfile.name);
                FILE *output = popen(cmd.c_str(), "r");
                ASSERT_not_null(output);
                char *line = NULL;
                size_t line_alloc = 0;
                ssize_t nread;
                while ((nread = rose_getline(&line, &line_alloc, output)) > 0) {
                    stats.output_size += nread;
                    {
                        boost::lock_guard <boost::mutex> lock(class_stats_mutex);
                        class_stats.output_size += nread;
                    }
                    if (!got_satunsat_line) {
                        if (0 == strncmp(line, "sat", 3) && isspace(line[3])) {
                            retval = SAT_YES;
                            got_satunsat_line = true;
                        } else if (0 == strncmp(line, "unsat", 5) && isspace(line[5])) {
                            retval = SAT_NO;
                            got_satunsat_line = true;
                        } else {
                            std::cerr << "SMT solver failed to say \"sat\" or \"unsat\"\n";
                            abort();
                        }
                    } else {
                        output_text += std::string(line);
                    }
                } 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.