0

There are awk (BusyBox v1.26.2 awk) statements to parse /proc/cmdline before passing an IP address to a program. And I can't change them.

/bin/t `awk 'BEGIN{FS="ip="}{print $2}' /proc/cmdline | awk 'BEGIN{FS=":"}{print $2}'`

So that the ip=192.168.0.1:192.168.0.2:xxx:xxx:xxxx in /proc/cmdline will print 192.168.0.2 as the argument to /bin/t

I'm not too familiar with awk, but I think this is safe and attempt to inject something that will be a security problem (e.g. $(reboot), 0.0.0.0`reboot` etc) will fail. (/bin/t has it's own checks on command line arguments passed to it).

In this case an attacker has control of uboot bootargs variable and hence can control the ip= line in /proc/cmdline.

I'd like the reassurance of awk experts this isn't injectable if possible.

Many thanks.

Note for clarification: Is there anything I can put in /proc/cmdline that results in shell execution?

Tis Me
  • 11
  • 1

1 Answers1

0

Nothing to do with awk but your command isn't safe because you aren't quoting the argument to t so the shell will evaluate it. Try echo `echo '*'` vs echo "`echo '*'`" . Your awk commands pipleine could be reduced too and you should be using $(...) instead of backticks. This should be safe as well as concise, efficient, and robust:

/bin/t "$(awk 'BEGIN{FS="ip=|:"}{print $2}' /proc/cmdline)"
Ed Morton
  • 188,023
  • 17
  • 78
  • 185
  • I cannot change the way this is implemented unless I can demonstrate it is insecure. So is there anything I can put in /proc/cmdline that results in shell execution? If not, then it is secure assuming /bin/t is secure of course. – Tis Me Feb 08 '22 at 13:17
  • It's not shell execution that'd occur, the bug allows word splitting, globbing and filename expansion. Put `*` in /proc/cmdline as I suggested and you'll see the list of files in the directory you run it from being passed to `t` instead of `*`. Put a line that contains spaces and you'll see `t` being called with each word in the line as separate arguments instead of 1 argument. So if the attacker can create a file or a word in the input named such than when `t` gets it as an argument it does something undesirable (spawn a shell? remove files?, change permissions?) then you have a problem. – Ed Morton Feb 08 '22 at 13:39
  • That's true but won't be an issue. /bin/t checks only 2 arguments are present and that the second one is an ip address. Thanks for your thoughts though. – Tis Me Feb 08 '22 at 13:45