2

I'm trying to understand more about this edit that was made to an answer of mine:

https://unix.stackexchange.com/revisions/510388/5

How does running cd "{}" in the context of a find command introduce vulnerability to injection attacks?

For reference, the change made to cover the vulnerability was:

diff --git a/command b/command
index 26488d0..fed4c07 100644
--- a/command
+++ b/command
@@ -1 +1 @@
-find . -type d -exec sh -c 'cd {} && echo "Spawning a shell in $PWD..." && sh' \;
+find . -type d -exec sh -c 'cd "$1" && echo "Spawning a shell in $PWD..." && sh' sh {} \;
Barry Jones
  • 173

1 Answers1

1

The directory name is placed where the curly braces are, and is then subject to the shell; consider a mkdir '$(reboot)' where find will find it. You then end up with sh executing: cd $(reboot) -- or whatever other command you would like to imagine. The cd command will probably fail, unless the attacker is extraordinarily crafty and echos the name of a valid directory there, but the damage is done, regardless. For less-drastic testing as root, try something like:

$ mkdir '$(touch .evil_file; echo directory-name)'`

You'll end up with this output:

something
sh: line 0: cd: ./directory-name: No such file or directory

... and:

$ ls -a
.  ..  .evil_file  $(touch .evil_file; echo directory-name)
Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
  • Note that even if the {} was quoted inside the script, a directory name with the corresponding quotation mark would have broken out of that. Additionally, any directory whose name contains a ; would probably also have allowed arbitrary code to be executed by the in-line shell script. – Kusalananda Apr 04 '19 at 19:08