You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Alluxio Version:
Version from 2.3.0 until the latest(2.9.3).
Describe the bug
Passing className with pipe and other command after className of unix shell as parameter of alluxio.util.ShellUtils.isAlluxioRunning(java.lang.String) can inject malicious commands.
For example, the following code ShellUtils.isAlluxioRunning("qwert | /usr/bin/gnome-calculator")
would finally execute bash -c ps -Aww -o command | grep -i \"[j]ava\" | grep qwert | /usr/bin/gnome-calculator. Malicious code will open Calculator.
To Reproduce
Just execute ShellUtils.isAlluxioRunning("qwert | /usr/bin/gnome-calculator") would reproduce it.
Urgency
Due to this vulnerability, any malicious code can be executed, so the impact is large.
Are you planning to fix it
I haven’t started working on PR yet and most likely I don’t plan to.
Additional context
For example if you have root rights you can execute ShellUtils.isAlluxioRunning("qwert | cd ../../../../../ | rm -rf /"), that all files in the system root directory have been deleted, which is extremely dangerous
The text was updated successfully, but these errors were encountered:
Alluxio Version:
Version from 2.3.0 until the latest(2.9.3).
Describe the bug
Passing
className
with pipe and other command after className of unix shell as parameter ofalluxio.util.ShellUtils.isAlluxioRunning(java.lang.String)
can inject malicious commands.For example, the following code
ShellUtils.isAlluxioRunning("qwert | /usr/bin/gnome-calculator")
would finally execute
bash -c ps -Aww -o command | grep -i \"[j]ava\" | grep qwert | /usr/bin/gnome-calculator
. Malicious code will open Calculator.To Reproduce
Just execute
ShellUtils.isAlluxioRunning("qwert | /usr/bin/gnome-calculator")
would reproduce it.Urgency
Due to this vulnerability, any malicious code can be executed, so the impact is large.
Are you planning to fix it
I haven’t started working on PR yet and most likely I don’t plan to.
Additional context
For example if you have root rights you can execute
ShellUtils.isAlluxioRunning("qwert | cd ../../../../../ | rm -rf /")
, that all files in the system root directory have been deleted, which is extremely dangerousThe text was updated successfully, but these errors were encountered: