October 2, 2016

Command Injection Without Spaces

I came across a nice little command injection vulnerability while doing a bug bounty recently. The only catch was that I couldn't use any spaces in the commands. Let me go into the details...

Note: I can't post any details about the application as it was a private bounty program.

It all began with the page providing an input box for doing 'nslookup' of a domain or IP entered by the user.
A page like this always excites a bug bounty hunter as the application has to pass user's input to underlying system command to perform nslookup and present the output of that command in the browser. If the developer has made any mistake in validating and sanitizing the input, they inadvertently open the doors to attackers misusing this feature to execute arbitrary commands on the server.

So, when I saw the input box I started to explore and try to force the application in executing arbitrary commands.
I began with simple input google.com

My next automatic try was to input google.com && ls
This returned same output as above, meaning the application ignored additional command provided by me. The same story continued for all my tries such as google.com || ls
When I tried input google.com>/tmp/test.txt the output window came blank which was strange. This suggested maybe the application is filtering spaces so I tried the same commands but without spaces and...

But the problem with spaces was still not solved. For the input google.com&&cat /etc/passwd the application again ignored anything after the space.
Then my next obvious move was to search on Google for this issue because if I am facing this issue, somebody must have already faced similar situation. Needless to say, Google didn't disappoint.

According to this, if you provide input like following on the bash terminal: {echo,hello,world} it will execute the command echo hello world
That was neat and TIL moment for me.
I tried it in my application but that didn't succeed. Maybe because the application I was targeting was an embedded device and the shell was a busybox shell. On more Googling, my doubt was confirmed.

So I was again back to Google looking for different solution. Then I came across this thread - http://seclists.org/pauldotcom/2012/q2/200
According to this, you can execute commands without spaces like this: CMD=$'\x20a\x20b\x20c';echo$CMD

Look at the cleverness of that! More TIL!
Here, CMD is an environment variable containing encoded spaces. On running that we get echo a b c

Now, I tried that in my application with little modification CMD=$'\x20a\x20b\x20c'&&echo$CMD

From here, executing arbitrary commands was a cakewalk. Input google.com&&CMD=$'\x20/etc/passwd'&&cat$CMD