Posts

Showing posts from November, 2008

Daemon02 - HITB Malaysia 2008 CtF

Analysis

Daemon02 is a classic example of command injection vulnerability. It is a daemon listening on five ports from 2221 to 2225 which receives input from users, parse it into command, then execute that command on the host system. Available commands are:

* help: print help banner

* status : print system uptime

* procs : print list of running processes

The interesting one is procs. When receiving "procs " command, daemon02 will first perform various checks for dangerous metacharacters such as ";", "|", and "&". If any of them found, daemon02 will replace it with an empty space. Then the command line string is built as "proc ax | grep -v root | grep -v nobody | grep -v apache | grep -v args". Finally it calls popen(3) with the command line string described in the last sentence as the first argument. The result of popen(3) will be returned to the user.

Vulnerability

As you can see, part of the input string is used at the end of the comman…