Wildcards are symbols which represent other characters. You can use them with any command such as the cat or rm commands to list or remove files matching a given criteria. There are others, but the one that is important to us right now is the * character, which matches any number of characters.

For example:

• cat * displays the contents of all files in the current directory
• rm * removes all files in the current directory

How it works under the hood is that the * character gets expanded to all the matching files. If we have the files a, b and c in our current directory, and we run rm *, then the outcome will be rm a b c.

## The problem

As we know, we can pass flags to programs on the command line to indicate how it should run. For example if we use rm -rf instead of just rm then it will recursively and forcefully delete files without further prompting.

Now what would happen if we ran rm * and had a file in the current directory with name -rf? Shell expansion of the * would cause the command to become rm -rf a b c and -rf will be interpreted as a command argument.

This is bad news when a privileged user or script uses wildcards in a command which has potentially dangerous flags, in particular, ones related to external command execution. In these cases we can likely use it to escalate privileges.

## Dangerous programs: chown and chmod

Both chown and chmod can be exploited in the same way, so I will only explain chown.

Chown is a program which allows you to change the owner of a specified file. The following example changes the owner of some-file.txt to be some-user:

chown some-user some-file.txt

Chown has a --reference=some-reference-file flag, which specifies that the owner of the file should be the same as the owner of the reference file. An example should help:

chown some-user some-file.txt --reference=some-reference-file

Let’s say the owner of some-reference-file is another-user. In that case, the owner of some-file.txt will be another-user instead of some-user.

### Exploitation

Let’s say we have a vulnerable program called vulnerable.sh which contains the following:

cd some-directory
chown root *


In that case, let’s create a file which is owned by us:

cd some-directory
touch reference


Then we create a file which will inject the flag:

touch -- --reference=reference

If you create a symlink to /etc/passwd in the same directory, then the owner of /etc/passwd will also be you, which will allow you to gain a root shell. For more detailed information about escalating privileges using /etc/passwd, refer to this article.

## Dangerous program: tar

Tar is a program which allows you to collect files into an archive.

In tar, there are “checkpoint” flags, which allow you to execute actions after a specified number of files have been archived. Since we can inject those flags with wildcard injection, we can use checkpoints to execute commands of our choosing. If tar is run as the root user, the commands will also be run as the root user.

Given this vulnerability, an easy way to gain root privileges is by making ourselves a sudoer. A sudoer is an user who can assume root privileges. These users are specified in the /etc/sudoers file. By just appending one extra line to that file, we can make ourselves a sudoer as well.

### Exploitation

Let’s say we have a vulnerable program and cron is being used to run it periodically. The program contains the following:

cd important-directory
tar cf /var/backups/backup.tar *


The steps to follow for root access are:

1) Inject a flag which specifies our checkpoint

First we will specify that after one file has been archived, there is a checkpoint. We will later give an action to that checkpoint, but for now we will simply tell tar that it exists.

Let’s create the file which will inject the flag:

cd important-directory
touch -- --checkpoint=1


2) Write a malicious shell script

The shell script will append code to /etc/sudoers that will make you a sudoer.

The line you need to add to/etc/sudoers is my-user ALL=(root) NOPASSWD: ALL.

Let’s create the shell script:

echo 'echo "my-user ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > demo.sh

The shell script should be in the same directory as the wildcard.

Note that we will have to change my-user to be the actual user we want to make a sudoer.

3) Inject a flag which specifies the checkpoint action

We will now specify that, when tar hits the checkpoint we specified at step #1, it should run the shell script we created at step #2:

touch -- "--checkpoint-action=exec=sh demo.sh"

4) Gain root

Wait until cron has executed the script and gain root privileges by typing:

sudo su

## Dangerous program: rsync

Rsync is a “fast, versatile, remote (and local) file-copying tool”, that is very common on Unix systems.

Some interesting flags to use with rsync are:

 -e, --rsh=COMMAND           specify the remote shell to use
--rsync-path=PROGRAM    specify the rsync to run on remote machine


We can use the -e flag to run any shell script we want. Let’s create a shell script which will add us to the sudoers file:

echo 'echo "my-user ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > shell.sh

Now let’s inject the flag which will run our shell script:

touch -- "-e sh shell.sh"

## Mitigation

Although wildcard injection can be extremely dangerous, it is also pretty easy to avoid. Adding the full path of the directory in front of the wildcard is enough to stop the attack.

This is exploitable:

some_command *

But this isn’t:

some_command /path/to/some/folder/*

## Conclusion

Using wildcards seems completely safe at first glance, but in reality, we must take great care not to expose ourselves to wildcard injection.