this post was submitted on 10 Apr 2024
26 points (96.4% liked)
Security
674 readers
5 users here now
A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.
Rules :
- All instance-wide rules apply.
- Keep it totally legal.
- Remember the human, be civil.
- Be helpful, don't be rude.
Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
i’m not understanding how this is supposed to be so severe. if an attacker has the ability to change the arguments to a
CreateProcess
call, aren’t you hosed already? they could just change it to invoke any command or batch file they wanted.You wouldn't be hosed on Linux for example. Note that this applies to the arguments to the program, not just the program itself.
In other words if I do
run(["echo", untrusted_input])
it would be totally fine on Linux.honestly i wouldn’t trust your linux example at all, what happens with
run([“echo”, “&& rm -rf /“])
It would print “&& rm -rf /“ and nothing bad would happen.