Exploiting Command Argument Injections With Openssl and Tar
One of the more interesting bug bounties I have come across required chaining two “argument injection” vulnerabilities along with a number of smaller data validation vulnerabilities to achieve remote code execution. The target application was an enterprise server with an administrator feature for downloading a backup and later restoring from the downloaded file. Unsurprisingly this “restore from backup” feature involved uploading a file over HTTP, and as is often the case the file upload was being processed in an insecure way. I am breaking this post down into a vulnerabilities section that provides some pseudocode and analysis of the vulnerable component and an exploit section that contains details of the triple-upload exploit. The Vulnerabilities Here is some Java code that demonstrates how the “restore from backup” feature processed the uploaded file. I changed the real password to “ secret123 ” because humorously the hard-coded password that they chose actually would ident