Listen to this Post
The vulnerability in tracexec’s command line reconstruction feature stems from improper parsing of environment variable keys that begin with a dash (‘-‘). When a traced process executes a child process using the `env` command with a malicious environment variable like -- -a=b, tracexec incorrectly interprets this variable as a command-line argument during its UI reconstruction. This occurs because the parser fails to distinguish between legitimate arguments and environment variables crafted to mimic them. Specifically, when `env — -a=b bash –norc` is executed under tracexec’s TUI mode, the reconstructed command line is displayed as env -a bash -a=b _=/usr/bin/env /usr/bin/bash --norc. Here, the `-a=b` string is erroneously injected as an argument (-a) for the `env` command, preceding the actual command (bash). This injection is purely a UI-level artifact and does not affect the actual process execution. However, if a user copies this inaccurate command line from the TUI and executes it in a terminal, the injected argument could potentially manipulate env‘s behavior, leveraging options like `–chdir` or --unset.
Platform: tracexec
Version: <0.14.0
Vulnerability: Argument Injection
Severity: Low
date: 2024
Prediction: 2024-10-15
What Undercode Say:
env -- -a=b bash --norc tracexec -o trace.log env -- -a=b bash --norc cat trace.log | grep "cmdline" strings /proc/$PID/environ | grep -- "^-"
How Exploit:
Malicious user sets environment variable key starting with dash. tracexec displays corrupted command line. User copies and executes it, triggering argument injection in env.
Protection from this CVE
Upgrade to tracexec 0.14.0. Do not copy/paste commands from tracexec UI that show environment variables with leading dashes.
Impact:
UI spoofing, potential command injection if copied command is executed. Local low-privilege users can mislead tracexec users.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
