fedora 24
shell weakness #1


Weakness Breakdown


A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:



The highlighted line of code below is the trigger point of this particular Fedora 24 shell weakness.

 #if wxVERSION_NUMBER < 2900
    ArgsArray argv(wxCmdLineParser::ConvertStringToArgs(cmd));
    ArgsArray argv(wxCmdLineParser::ConvertStringToArgs(cmd, wxCMD_LINE_SPLIT_UNIX));

GetOutputArray().Clear(); GetErrorsArray().Clear();
static size_t count;
count = 0;                                       // Set it here, not above: otherwise it'll retain its value for subsequent calls

int fd;
pid_t pid = forkpty(&fd, NULL, NULL, NULL);
if (pid == -1)
  return CloseWithError(0, wxT("Failed to create a separate process"));

if (pid == 0)                                   // The child process
  { setsid();
    struct termios tos;                         // Turn off echo
    tcgetattr(STDIN_FILENO, &tos);
    tos.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL);
    tos.c_oflag &= ~(ONLCR);
    tcsetattr (STDIN_FILENO, TCSANOW, &tos);

    if (int ret =  execvp(*argv, argv) == -1) 
      return CloseWithError(fd, wxString::Format(wxT("program exited with code %i\n"), ret));

                                                // The parent process

int fl; if ((fl = fcntl(fd, F_GETFL, 0)) == -1)  fl = 0;
fcntl(fd, F_SETFL, fl | O_NONBLOCK);            // Make non-blocking   

int status, ret = 1;
fd_set fd_in, fd_out;
  { struct timeval tv;
    tv.tv_sec = 0; tv.tv_usec = 20000;
    FD_ZERO(&fd_in); FD_ZERO(&fd_out);
    FD_SET(fd, &fd_in); FD_SET(fd, &fd_out);

    int rc = select(fd + 1, &fd_in, &fd_out, NULL, &tv);
    if (rc == -1)
      return CloseWithError(fd, wxString::Format(wxT("Error %d on select()"), errno));
    if (!rc) continue;

    if (FD_ISSET(fd, &fd_in)) 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.