io.kent Posted June 28, 2014 Report Posted June 28, 2014 Wildcard ExpansionWhen you type a command with a "*" in bash, bash expands it to the list of all files in the directory and passes them all as arguments to the program. For example, "rm *", will remove files in the current directory.Filenames Misinterpreted as SwitchesMost command line programs can take switches that affect how they work. For example, the ls command, when ran without any switches, looks like the output below.[stephen@superX foo]$ ls asdf.txt foobar -l Now let's say you want to know what group and user owns these files. You can pass "-l" to the ls program to figure that out, which looks like this:[stephen@superX foo]$ ls -l total 0 -rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 asdf.txt -rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 foobar -rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 -l Notice there is a file named -l in our directory. Let's try "ls *" now and see what happens:[stephen@superX foo]$ ls * -rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 asdf.txt -rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 foobarThe last two outputs are similar, but the output of "ls *" is different. It is missing the "-l" file, which was interpreted by ls as the "-l" switch. There's no way for the ls program to tell that the "-l" came from the wildcard expansion and wasn't actually what we in intended. It's equivalent to running:[stephen@superX foo]$ ls asdf.txt foobar.txt -l-rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 asdf.txt -rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 foobarSecurity ProblemsMisinterpreted filenames can lead to problems when someone runs a wildcard expansion on a folder they download from the Internet, for example, without first checking the filenames. Could this be used to attack someone's computer? Can we make a program do something bad by having specially-named files in the directory? Yes, it turns out that we can.Aici : https://dicesoft.net/projects/wildcard-code-execution-exploit.htm 1 Quote
