BUG_Author: s0l42

Affected Version: shc ≤ 4.0.3

Vendor: shc GitHub Repository

Software: shc

Vulnerability Files:

• src/shc.c

Description:

Command Execution:

• In the file src/shc.c, the function make does not check the file name, and uses sprintf formats the user input to command, then uses system to execute the command. Thus, a command execution happened.
• For example, when the file name user input is like “a;touch aa;”，the command becomes cc flags ldflags a;touch aa;.x.c -o out ，a new file aa will be created.

Proof of Concept:

$ touch "test.sh;touch 1;"
$ echo '#!/bin/sh\\necho "hello"\\nls' > "test.sh;touch 1;"
$ ./shc -f "test.sh;touch 1;" -o aa

If success, the file 1 will be created.