
No one expects command execution - wglb
http://0x90909090.blogspot.com/2015/07/no-one-expect-command-execution.html
======
orf
I don't get it, it's not really unexpected if you pass the name of the
executable (which just happens to be a script) via a flag... used explicitly
for passing an executable to run.

I mean, is it unexpected if `./my_command --execute-this-right-
now=somescript.sh` executes somescript.sh?

~~~
reubenmorais
I guess the author's point is don't ever, ever, ever mix shells and
unsanitized user inputs, even if you think it can't possibly be harmful.

In other words, even if it's not obvious, doing this creates a security
vulnerability:

    
    
        tar bla bla ${user input}

~~~
andrey-p
But if you're plugging in input like that, couldn't the malicious user just
pass in something like

    
    
        && sudo rm -rf /
    

anyway? Which would render the whole point of the article moot.

~~~
ninkendo
There's simple ways to "escape" user input (as in, ensure the whole input
string is interpreted as a single argument to this program) in ways that
ensure you can't do simple &&'s or ;'s and execute a totally different
command. But the point of the article is even if it's properly escaped, users
can still do malicious things when input is passed to lots of standard UNIX
utilities.

~~~
Gibbon1
What I wish, I wish there was a flag in unicode to declare characters as
'unsafe user input' so that system utilizes and databases can recognize unsafe
user input and barf on it.

~~~
jacquesm
It would be a very rare case where a vulnerability related to in-band
signalling can be fixed with more in-band signalling.

~~~
Gibbon1
You can if your encoding is explicit about what's in band and out of band. I
get the feeling you've never written a protocol ever.

~~~
jacquesm
I don't think you even understand the concept of in-band and out-of-band,
that's not a function of the encoding. And I've written protocols aplenty in
the days when not everything ran on top of HTTP, high speed serial links, with
and without virtual circuits (so mux-demux) and a whole slew of others.

Just to make sure you are on the same page as the rest of us here: in-band and
out-of-band is a way to distinguish sending meta information about the data
stream through the same channel as the original data. You need an escape
mechanism for that, so control characters and such.

Out-of-band signalling indicates that all meta information about the data
stream travels through a different (virtual) circuit, in which case there can
never be confusion about whether a given chunk is data or meta info.

~~~
Gibbon1
I now understand that your point here is to be insulting.

------
brynet
And yet another interesting GNU tar "feature", also noteworthy is remote tar:

[https://www.gnu.org/software/tar/manual/html_section/tar_46....](https://www.gnu.org/software/tar/manual/html_section/tar_46.html#remote_002ddev)

> "If the archive file name includes a colon (`:'), then it is assumed to be a
> file on another machine. If the archive file is `user@host:file', then file
> is used on the host host. The remote host is accessed using [rsh]."

and

> "If you need to use a file whose name includes a colon, then the remote tape
> drive behavior can be inhibited by using the `--force-local' option."

On many systems, rsh is aliased to ssh, so if you don't properly sanitize your
archive names, GNU tar will make network connections.

~~~
im3w1l
Wow... I'm starting to get really scared of the shell, and how much hidden
complexity there is waiting to trap the unwary. Feels like best practice for
shellscripts is to only ever use them for one-offs. And that tar and friends
should never be used as "helpers" by other programs.

~~~
digi_owl
Welcome to life.

~~~
im3w1l
What you are, rudely, implying is that what I am saying is already well known.
I'd argue that isn't so.

Until recently shell-scripts was the way you inited a system. I still have
almost 2000 shell scripts on my machine that I didn't write myself.

People got owned during shellshock, which means they did run helper programs,
in web-facing applications even.

~~~
digi_owl
No, life is stuffed full of hidden complexities.

Complexities that are ready to bite the hand of the unwary at the slightest of
chances.

Honesty i think the biggest lie in modern times is the MS/Apple lie that
computing can be made so simple that even the proverbial aunt Tillie can do it
without reading any sort of manual.

------
jcape
If your ~/.bashrc is a SYMLINK to a bash or sh script, bash will AUTOMATICALLY
EXECUTE that script on login.

If you give rsync command a source or destination with an unescaped colon, it
will read an ENVIRONMENT VARIABLE to figure out a command to run to
AUTOMATICALLY CONNECT TO ARBITRARY NETWORK RESOURCES. If you have keys, it
will even SKIP PASSWORD ENTRY, and with default Kerberos, it will not only
skip password, but make a network connections to a login server:port specified
by a DNS ENTRY.

Seriously, who is this guy, and why is this trainwreck #1 on HN?

~~~
ajkjk
Did this article make you angry? Why do you call it a trainwreck?

~~~
rylee
The article is literally "If you tell these utilities to execute this script,
they'll execute this script". NONE of these should be "unexpected".

~~~
jjoonathan
Not the point. Of course it's not surprising that these utilities will execute
scripts if you tell them to. The unexpected fact is that you _can_ tell them
to -- and that this is documented behavior which probably isn't going away.

If your argument was that no programmer should be surprised that you can tell
an archive utility to execute an arbitrary script, then you and the author of
the post are in complete agreement. The remaining difference is that the
article actually does something to fix the problem while you merely hurl an
implicit insult at anyone who hasn't seen this type of privilege escalation
yet. One of these actions is more constructive than the other.

~~~
d23
> you merely hurl an implicit insult at anyone who hasn't seen this type of
> privilege escalation yet

You and I have vastly different opinions on what constitutes privilege
escalation.

~~~
jjoonathan
I'm not a security researcher. Care to recommend a more appropriate term for
the data -> execution stage as opposed to the user -> root stage which is more
commonly associated with the term "privilege escalation"?

------
juhanima
This might be related to another article about OLE execution, to cast a shadow
of doubt that it is not an isolated habit. Having outside stuff executed when
not meaning to is always bad. I for one would be badly disappointed, if tar
xvf unexpectedly run some code. Luckily, that is not the case.

UNIX got battle-hardened during its college years, the cases of unexpected
execution are few and far between. One of them is post-install, never run dpkg
-i unless you trust the packager.

~~~
cbd1984
> UNIX got battle-hardened during its college years

Is that when it finally gave up making shar archives?

For the unitiated: A shar is a "shell archive", or a shell script which
(typically) makes heavy use of 'here documents' to do what tarballs do, only
they're shell scripts so you have to execute them and then they can
potentially execute arbitrary code unless you read through them very closely
and actually understand them.

Yes, people actually made these. Yes, people actually ran these. Yes, they
still exist on some old archive FTP servers and so on.

It's amazing how clever you can be when you don't think you'll ever have to
care about security or The Sufficiently Stupid User (because sufficiently
advanced stupidity is indistinguishable from malice).

~~~
Blackthorn
I don't really understand how a shar is more dangerous than the still-
incredibly-common "./configure; make".

~~~
nhaehnle
You really don't need the "./configure" there. make alone can obviously run
arbitrary commands - but then again, so can the program whose source code you
probably downloaded in order to run it.

In general, all the hype about not executing stuff from the web has a point
but is largely confused about where the risks are and aren't (e.g. the "don't
pipe wget into the shell" meme).

------
joeyh
Command execution is overrated. How about having tar download an arbitrary tar
file over the network, from a server you control?
[http://bugs.debian.org/290435](http://bugs.debian.org/290435)

~~~
0x0
That's a bit of a surprise!

------
WalterBright
What I find interesting is the thread title being a pun from a 40 year old
movie. Back in the 70s, there wasn't any interest in movies, music, etc. from
the 30s. And there still isn't interest in 30s culture, but plenty in the 70s.

I wonder why.

~~~
supertruth
I think you're in a bubble. Lots of people have interest in the 30s given it
was the golden age of Hollywood: Gone with the Wind references have entered
the cultural lexicon, so have The Wizard of Oz references.

~~~
WalterBright
A movie from the 70s that compares with TWoO and GWTW in stature would be Star
Wars, certainly not MPatHG.

I find it unremarkable that people today quote SW.

~~~
supertruth
Yeah but even then, you have The Three Stooges, The Marx Brothers, and Charlie
Chaplin. All 30s-era comedy groups similar in notoriety to Monty Python.

~~~
WalterBright
In high school and college in the 70s, people did not go around quoting the
Marx Bros. They were generally regarded as belonging to their grandparents'
generation. It's just not like Python quotes today, which seem to be just as
pervasive as in the 70s.

Can you even think of a MB quote without looking one up? If I made a pun on
one, would you recognize it?

~~~
supertruth
Yeah, like I said, I think you're living in a bubble and/or this is
confirmation bias. I grew up in the 00s and, from my perspective, I see Monty
Python as belonging to my grandparent's generation. No one in my age group
commonly quotes Monty Python.

If people still do quote Monty Python, I think it's a culty minority or people
who study media. The same status as the Marx Brothers and other comedians of
bygone eras.

But we can agree to disagree :)

------
Retr0spectrum
Are there any real examples of how this could be used to do something
malicious?

~~~
jlgaddis
In one case, I could have used _tcpdump_ to elevate privileges on a customer's
router.

They had an x86 box running RHEL as their firewall/router and I was hired to
resolve an (IPSec) issue they were having. I asked for a capture of some
specific traffic but their I.T. guys (small company w/ only two technical
staff) weren't "fluent" with bpf filters, so they created a user account for
me, provided me with access via SSH, and granted me the ability to run
_tcpdump_ via _sudo_.

From the example given, I could have used the "-z" flag to run arbitrary
commands and escalate to root (although, in this case, I likely could have
gained root simply by asking nicely).

------
elchief
There must be a bug in my OpenBSD, because none of these work...

------
tome
Oh for explicity typed IO.

(Sadly command-line programs have yet to pass the threshold of even having a
types system at all.)

~~~
alanctgardner3
Powershell!

Seriously, MS doesn't do everything great, but Powershell has typed pipes
(typed everything, actually, it's not just stringly like *sh) which are
seriously awesome.

------
evilDagmar
Oh my god! Who would have ever expected that command line utilities might be
able to execute external programs?!

Quick! Everyone! Run in circles!

------
AceJohnny2
Well geez, it's almost like the tools were designed with flexibility and
pluggability in mind before the advent of the internet and the fear of remote
shell exploits...

/s

------
dlsym
Hey guys! Did you know you can actually execute a script with date by running
date && ./myscript.sh

WOW! I better get on going writing my blog post "executing abitrary code with
'date'".

~~~
haberman
Doesn't count, a setuid date wouldn't get you root with that command.

~~~
__david__
How many people have setuid tar? Or man, or zip, or git, or ftp?

------
tcannon
_You_ didn't expect command execution.

