alpine 3.6
shell weakness #1

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

arping/src/arping-2.18/src/findif_bsdroute.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 shell weakness.

 /**
 *
 */
const char *
arping_lookupdev(uint32_t srcip,
                 uint32_t dstip,
                 char *ebuf)
{
        FILE *f = NULL;
	static char buf[10240];
	char buf1[1024];
	char *p,*p2;
	int n;

        *ebuf = 0;

        do_libnet_init(NULL, 0);
	libnet_addr2name4_r(dstip,0,buf1, 1024);

	/*
	 * Construct and run command
	 */
	snprintf(buf, 1023, "/sbin/route -n get %s 2>&1",
		 buf1);
	if (!(f = popen(buf, "r"))) {
                snprintf(ebuf, LIBNET_ERRBUF_SIZE,
                         "popen(/sbin/route): %s", strerror(errno));
		goto failed;
	}
	if (0 > (n = fread(buf, 1, sizeof(buf)-1, f))) {
                snprintf(ebuf, LIBNET_ERRBUF_SIZE,
                         "fread(/sbin/route): %s", strerror(errno));
		goto failed;
	}
	buf[n] = 0;
	if (-1 == pclose(f)) {
                snprintf(ebuf, LIBNET_ERRBUF_SIZE,
                         "pclose(/sbin/route): %s", strerror(errno));
		goto failed;
	}
        f = NULL;

	/*
	 * Parse interface name
	 */
        const char* head = "interface: ";
        p = strstr(buf, head);
	if (!p) {
                if (verbose) {
                        printf("arping: /sbin/route output: %s\n", buf); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.