Analysis Daemon02 is a classic example of command injection vulnerability. It is a daemon listening on five ports from 2221 to 2225 which receives input from users, parse it into command, then execute that command on the host system. Available commands are: * help: print help banner * status : print system uptime * procs : print list of running processes The interesting one is procs. When receiving "procs " command, daemon02 will first perform various checks for dangerous metacharacters such as ";", "|", and "&". If any of them found, daemon02 will replace it with an empty space. Then the command line string is built as "proc ax | grep -v root | grep -v nobody | grep -v apache | grep -v args". Finally it calls popen(3) with the command line string described in the last sentence as the first argument. The result of popen(3) will be returned to the user.
Daemon02 - HITB Malaysia 2008 CtF
Daemon02 - HITB Malaysia 2008 CtF
Daemon02 - HITB Malaysia 2008 CtF
Analysis Daemon02 is a classic example of command injection vulnerability. It is a daemon listening on five ports from 2221 to 2225 which receives input from users, parse it into command, then execute that command on the host system. Available commands are: * help: print help banner * status : print system uptime * procs : print list of running processes The interesting one is procs. When receiving "procs " command, daemon02 will first perform various checks for dangerous metacharacters such as ";", "|", and "&". If any of them found, daemon02 will replace it with an empty space. Then the command line string is built as "proc ax | grep -v root | grep -v nobody | grep -v apache | grep -v args". Finally it calls popen(3) with the command line string described in the last sentence as the first argument. The result of popen(3) will be returned to the user.