2. $WHOAMI
• Principal security researcher @ Cybereason
• I LOVE EMBEDDED HACKING (used to make my living off of it)
• I was here ~3 months ago talking about command injections
• I am going to do that again right now
@0xAmit
9. YOU KNOW WHAT THAT MEANS…
Someone passes a user
controlled string to system()
10. YOU KNOW WHAT THAT MEANS…
That user controlled string
Is in the friggin URL
11. YOU KNOW WHAT THAT MEANS…
It is actually in the HTTP
Request itself
12. YOU KNOW WHAT THAT MEANS…
The server just accepts
And executes the
Command => no auth
13. SO WAIT A MINUTE…
If a user control string which is the HTTP
request itself gets passed as an argument to
system(), does this mean what I…? Oh shit.
15. QUESTIONS…
• Where exactly in the code is the mistake and does it
look like what I think it looks like
• Are they actually calling system?
• Why?! What for and how many times…
21. SO WHAT’S GOING ON?
• The webserver implements a bunch of server side functionality using ’cgi-bin’
• Cgi-bin is a generic name for scripts that are being processed on the server side
using input from the client side
•That is a terrible idea. The 90s are
over. WTF.
22.
23.
24. SO WHAT’S ACTUALLY GOING ON
HERE?
• The webserver implements a bunch of server side functionality using ’cgi-bin’
• Cgi-bin is a generic name for scripts that are being processed on the server side
using input from the client side
• All of those scripts are in the /cgi-bin/ directory
• One of those things is to LOG the parameters in the HTTP requests to a file.
• The logging is done by doing something roughly like this:
• system(“echo %s >/tmp/options_result”, USER_INPUT);
• Since any request to cgi-bin/ is being handled that way… That means…