►
From YouTube: Argument Injection - Invited presentation for Team Bi0s
Description
Presentation Slides: https://docs.google.com/presentation/d/1U8r5CJs9dLOLO2-hj_bHidRMXugUl3ejv8Hdw6bDMv4/
A
Talk
and
I
was
even
able
to
freely
choose
my
topic,
so
I
am
trying
to
explain
a
bit
about
the
barque
class
I
really
like,
which
is
argument
injection
and
it
just
started
at
C,
so
we'll
have
fun
the
agenda,
the
classic
command
execution,
the
who
a
schematic
injection
common
countermeasures
and
a
command
injection
as
a
follow-up
thing
from
those
countermeasures,
will
have
look
at
the
general
concept,
guided
and
have
two
examples
where,
whereas
one
I
will
do
a
walk-through
and
then
we'll
have
some
conclusions.
Obviously,
so,
let's
see
how
this
is
not
good.
A
We
can
have
so
many
characters
in
there.
So
we
can
have
many
backticks
or
a
semicolon
or
somehow
convinced
the
shell
of
running
them,
some
some
other
command
and
the
antenna
bug
or
some
other
commanding
after
the
intended
one.
So
this
is
what's
weakly
happening
when
you
have
a
call
to
system
in
programming
languages,
it
will
invoke
the
shell
and
you
invoke
the
command
and
its
arguments,
and
the
shell
will
interpret
it
as
basically
as
a
small
transcript.
A
So,
for
instance,
in
Ruby
we
can.
We
can
escape
this
in
a
way
that
we
don't
call
the
shell
directly
brother
call
the
binary
one
called
without
the
detour
buy
out
the
shell.
So
in
this
case
we
would
have
this
syntax.
We
will
use
the
shell,
we
will
expand
Paulo
home
to
my
own
directory
and
a
fee
then
have
this
syntax.
Where
we
separate
this
command.
At
its
argument,
we
will
have
the
literal
de
l'homme
so
as
H
won't
be
invoked
directly
rather
would
be
echo
directly,
and
we
cannot
reject
any
shell
meta
characters
anymore.
A
So
there
are
different
ways
to
do
this
and
we
are
where
somewhere
here.
So
we
give
the
program
a
compartment.
The
arguments
to
that
pathway
is
calling
so
we're
invoking
the
program
directly,
but
we
can
maybe
inject
arguments
to
that
to
that
very
common
come
on.
So
this
would
work
like
this.
If
you
have
a
considered
of
deleting
a
file
which
is
called
a
or
a
you
would
see
you
you
can
you
cannot?
You
cannot
copy
it,
because
CP
will
think
here.
A
is
not
a
phantom,
it's
rather
a
flag
to
CP.
A
So
this
is
a
very
basic
concept
of
argument:
rejections
for
RM
RM
for
to
remove
the
file.
Rm
I
know
it's
a
bit
more
intelligent.
It
tells
you
that
this
is
an
invalid
option.
If
you
want
to
try
to
remove
the
file
a
you
should
call
it
dot,
slash
minus
a
so
RM,
wouldn't
see
it
as
a
argument
itself
anymore.
A
So
this
is
like
a
very,
very
basic
concept
of
this
and
there,
just
by
argument
injection
I'm
talking
about
exactly
this
concept
for
cwe
88,
which
is
cwe
command
weaknesses
and
the
more
enumerations
for
our
vegetation.
They
interpret
it
a
bit
differently,
so
here
here
we're
talking
about
direct
imitation
of
programs
and
we
are
able
to
influence
one
or
more
of
the
elements.
A
To
that
very
comment
come
come
and
someone
one
example
would
be
a
injection
vulnerability
in
the
CBT
handler,
which
is
a
comic
book
handler
backend
of
him
in
the
popular
PDF
and
document
viewer
on
the
linux
and
felix
villain
who,
by
now
that
I
think
a
good
project
through
all
this
issue.
And
if
you
look
at
the
slides,
you
can
click
this
link
to
see
the
original
advisory
which
I'm
taking
apart
here.
So
what
happened
here
on
the
CBT?
A
The
comic
book
file
is
basically
a
tar
file
containing
a
number
of
images
and
the
images
will
be
extracted
from
the
tar
file
like
this.
And
here
we
we
have
two
potential
command
argument:
injection
points
one
would
be
dollar
archive
and
one
would
be
dollar
punim,
so
we
could
even
maybe
name
the
file
in
a
special
way
to
either
containing
TT
file,
or
we
name
the
you
know,
files
within
the
top
authors
and
in
a
sort
of
pattern
tool
to
exploit
this
issue
of
arguments
being
injectable.
A
So
this
is
what
pivots
didn't
is
advisory
and
he
created
a
file
within
the
CBT
archive,
which
was
was
called
checkpoint
action
equals
and
then
exec-
and
this
is
this-
is
the
argument
to
tar.
Tar
would
see
this
instead
of
the
planum
to
extract
it
would
see.
Oh
I
should
do
a
checkpoint
action.
This
checkpoint
action
would
be
this
bash
line,
which
is
to
be
executed,
which
tar
just
does.
A
Subsequently
and
the
interesting
part
here,
just
as
a
side
note,
we
can
have
slash
within
a
file
name
within
the
tar
file,
because
and
of
the
directory
separator
within
apply
fine
within
the
tar
file.
So
we
could
even
they
do
things
in
other
directories
and
just
in
the
file
he
proposed
the
figs
with
mimes.
A
A
A
Git
repositories
by
Isis
age,
it
would
invoke
at
this
age.
We
can't
use
this
here
without
any
further
tooling.
You
can
just
see
that
as
a
sage
is
being
invoked
and
we
can
maybe
to
debug
this
attack
dr.
bit.
We
could
try
to
use
as
price
and
try
to
trace
all
executions,
exact,
exact
VD
calls,
and
here
we
could
see
how
SSH
is
being
invoked.
It
is
very
helpful
to
see
how
we
could
possibly
turn
this
into
a
argument
in
texture.
So
we
see
here
we
are
cloning,
tested,
localhost
and
we
see
this
year.
A
So
we
could
try
to
first
instruct
kids
to
not
take
this
as
an
argument,
because
if
you
leave
this
out,
it
would
with
whipped
complain
about
the
unknown
switch
t.
So
we
want
to
palm
separate
this
with.
So
it
stops
the
argument
processing.
It
takes
this
literally
SE
ssh
hostname.
So
here
we
see
we
can
indeed
here.
A
A
A
Here
we
now
have
the
we
flag
injected
and
can
have
debug
output
from
alternative
age,
but
this
is
like
I'm
not
really
interesting,
so
we
want
maybe
to
inject
other
things
and
as
soon
as
I
found
within
the
issue
that
we
can
inject
at
his
age.
I
looked
at
the
man
page
and
I
found
a
very
useful
thing
to
do.
With
this
adage,
we
can
tell
SSH
to
use
a
proxy
commands
to
connect
to
a
host
to
our
host,
and
this
would
this
would,
in
our
case,
just
execute
this
proxy
command.
A
So
we
are
trying
to
clone
a
git
repo,
and
if
we
hide
this
in
the
rapist
URL,
we
we
were,
we
would
be
able
to
execute
those
commands
with
the
helper
of
SSH.
So
here
we
see
in
the
s
trace,
trace.
We
see
SSH
getting
this
proxy
command
and
then
my
shell
in
executing
this
helper
commands
to
SSH,
because
we
just
shifted
from
what
should
be
the
host
and
the
user.
Here
we
shift
this
into
a
command
to
an
argument
which
would
invoke
our
command
we're
tuning,
and
here
this
would
be
interpreted.
A
We
would
actually
try
to
try
to
SSH
into,
but
it
doesn't
matter
because
the
protocol
model
gets
invoked
beforehand.
So
this
is
how
how
this
exploit
worked,
and
this
is
pretty
much
also
how
I
discovered
it
by
just
using
s,
trace
and
looking
at
how
how
it
behaves
on
a
clone
from
from
certain
different
URLs,
and
this
ultimately
ended
up
in
this
issue
being
identified.
So
by
slides.
A
So
just
the
recap
of
this
on,
we
will
try.
We
will
get
clone
for
SSH
all
right
and
then
have
the
host
part
being
the
argument
injection
via
gate
to
SSH,
which
then
will
invoke
our
helper
program,
which
we
want
to
use
or
exploit
and
in
case
of
in
terms
of
exploitation.
I
made
this
for
my
proof-of-concept,
pointing
to
a
binary
within
or
a
shared
script,
even
within
the
git
repo,
which
was
just
clone.
So
it
had
a
sub
contained.
A
From
also
from
an
exploitation
point
of
view,
it's
hard
to
generalize
argument
injection
on
how
to
exploit
it,
because
it
always
depends
on
what
the
program
you're
able
to
inject
elements
into
is
actually
doing,
and
if
it
is
capable
at
all
to
to
to
execute
sub
commands
or
do
something
really
bad.
Sometimes
it's
only
possible
to
overwrite
files
or
corrupt
files
or
create
empty
files
somewhere
or
create
file
somewhere,
and
you
don't
fully
control
the
class
content.
I'm
stuff
like
this,
depending
on
how
whatever
is
in
being
invoked,
is.
A
It's
working
so
this
is
a
fun
part
to
to
to
actually
find
out
how
you
can
do
with
most
useful
exploit
with
the
argument
addiction
to
a
given
program,
you're
you've
identified
so
I'm
and
we
kept
from
a
defendant's
perspective.
It's
usually
you
should
try
to
when
you
put
your
code
in
try
to
not
put
functionality
to
not
outsource
it
into
sub
shell
commands
and
maybe
don't
take
you
to
input.
A
Tool
to
to
leave
out
the
shell
and
just
call
the
program
with
these
parameters,
because
the
parameters
empty
arguments
might
be
injectable
again
and
the
image
for
the
exploitation
is
happily
dependent
on
what
you
have
actually
there
and
you
should
always
beat
the
manual
to
see
what
you're
dealing
with
and
how
you
could
possibly
exploit
m.div
program
and
for
debugging
and
figuring
out
such
such
issues.
It's
usually
really
a
really
good
idea
to
trace
or
debug
waste,
for
instance
s
trace
in
order
to
find
such
such
issues.
So
this
is
so
much
about
argument.