"The method will first iterate through each of the additional arguments and combine each key value pair into a single string, separated by a "=" character that will later be used as an environment variable. Next, a switch case statement is used to ensure the provided command is one of the values in TroubleshootingCommands. Each command value will be processed using the same code. The method will next iterate through each environment variable, and inspect it for the following common command injection strings: If any are found, the request will be rejected, and an exception is thrown."
"The execEvil() method in turn will call Runtime.getRuntime().exec() to run the script, with the second parameter passing the environment variables that will be used by the script. Each command value will have a function in network-troubleshooting.sh, such as run_dns() for the "DNS" command value."
runTroubleshooting() takes a command and additional JSON-RPC parameters, concatenating each key/value pair into environment-variable strings. A switch enforces that the command matches a TroubleshootingCommands value, but each command follows identical processing paths. The code inspects environment-variable strings for certain command-injection substrings and rejects requests if matches are found, but otherwise passes the variables into execEvil(). execEvil() calls Runtime.getRuntime().exec() with the environment variables provided to network-troubleshooting.sh. Script functions then build a CMD string from those variables and call eval, allowing unsanitized variable contents to be executed on the shell.
Read at Zero Day Initiative
Unable to calculate read time
Collection
[
|
...
]