alpine 3.6
shell weakness #5

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

bc/src/bc-1.06.95/dc/misc.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 shell weakness.

 /* call system() with the passed string;
 * if the string contains a newline, terminate the string
 * there before calling system.
 * Return a pointer to the first unused character in the string
 * (i.e. past the '\n' if there was one, to the '\0' otherwise).
 */
const char *
dc_system DC_DECLARG((s))
	const char *s DC_DECLEND
{
	const char *p;
	char *tmpstr;
	size_t len;

	p = strchr(s, '\n');
	if (p != NULL) {
		len = (size_t) (p - s);
		tmpstr = dc_malloc(len + 1);
		strncpy(tmpstr, s, len);
		tmpstr[len] = '\0';
		system(tmpstr);
		free(tmpstr);
		return p + 1;
	}
	system(s);
	return s + strlen(s);
}


/* print out the indicated value */
void
dc_print DC_DECLARG((value, obase, newline_p, discard_p))
	dc_data value DC_DECLSEP
	int obase DC_DECLSEP
	dc_newline newline_p DC_DECLSEP
	dc_discard discard_p DC_DECLEND
{
	if (value.dc_type == DC_NUMBER) {
		dc_out_num(value.v.number, obase, newline_p, discard_p);
	} else if (value.dc_type == DC_STRING) {
		dc_out_str(value.v.string, newline_p, discard_p);
	} else {
		dc_garbage("in data being printed", -1);
	}
}

/* return a duplicate of the passed value, regardless of type */
dc_data
dc_dup DC_DECLARG((value))
	dc_data value DC_DECLEND 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.