centos 7
shell weakness #20

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

alsa-tools-1.1.0/envy24control/new_process.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 shell weakness.

 	proc_status = 0;
	/* check file status and permissions */
	if (file_status.st_mode & S_IFREG) {
		if (!(file_status.st_mode & S_IXOTH)) {
			if (!(file_status.st_mode & S_IXGRP)) {
				if (!(file_status.st_mode & S_IXUSR)) {
					proc_status = -EACCES;
				} else if (file_status.st_uid != getuid()) {
					proc_status = -EACCES;
				}
			} else if ((file_status.st_gid != getgid()) && (file_status.st_uid != getuid())) {
				proc_status = -EACCES;
			}
		}
	} else {
		proc_status = -EACCES;
	}
		
	if (proc_status != 0) {
		fprintf(stderr, "No permissions to execute program '%s'.\n", cmd_line[0]);
		return proc_status;
	}

	if ( (pid = fork() ) == 0) {
		execv(cmd_line[0], cmd_line);
	}

	/* for waiting ingnoring special interrupts */

	int_stat = signal(SIGINT, SIG_IGN);
	quit_stat = signal(SIGQUIT, SIG_IGN);
	usr2_stat = signal(SIGUSR2, SIG_IGN);

	/* waiting for the end of the child process */

	while ( ( (w = wait(&proc_status)) != pid ) && (w != -1) )
		;
	if (w == -1) {
		proc_status = -errno;
	}

	/* restore pointers from signal handling routines */

	signal(SIGINT, int_stat);
	signal(SIGQUIT, quit_stat);
	signal(SIGUSR2, usr2_stat);

	return proc_status;
} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.