Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exploiting Wildcards On Linux/Unix

Posted by Soulskill on from the teaching-a-new-dog-old-tricks dept.

An anonymous reader writes: DefenseCode researcher Leon Juranic found security issues related to using wildcards in Unix commands. The topic has been talked about in the past on the Full Disclosure mailing list, where some people saw this more as a feature than as a bug. There are clearly a number of potential security issues surrounding this, so Mr. Juranic provided five actual exploitation examples that stress the risks accompanying the practice of using the * wildcard with Linux/Unix commands. The issue can be manifested by using specific options in chown, tar, rsync etc. By using specially crafted filenames, an attacker can inject arbitrary arguments to shell commands run by other users — root as well.

1 of 215 comments (clear)

  1. If only this was a Microsoft issue. by jellomizer · · Score: 0, Flamebait

    If it were a Microsoft Issue, this would be so a bug and not a feature.

    Linux/Unix are an old design of an OS. There are some designs in its main way of doing things that do not work in today's much more secure environment.

    Things have been upgraded Telnet replaced with SSH, hacks on FTP to make it more secure. But the underpinning is still there. Back in the day where computers needed to do things.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.