On Mon, Jul 19, 2021 at 01:28:54PM +0000, Tommy Murphy wrote: > > From: Richard Braun <[email protected]> > > Sent: Monday 19 July 2021 12:26 > > To: Tommy Murphy <[email protected]> > > Cc: OpenOCD <[email protected]>; Ooi, Cinly > > <[email protected]> > > Subject: Re: Potential NULL byte injection > > > > Without the issue, the impact of > > a malicious/faulty input is restricted to what openocd can do. With it, > > it's restricted to what the operating system allows the hacked program > > to do, and without sandboxing, it can basically rm -rf or whatever. > > Perhaps you can you illustrate how NULL byte injection can be used to make > openocd execute rm -rf?
No, I can't. I was a bit too quick and assumed the kind of dangerous commands mentioned by Cinly could be somehow added and then used, as he says, but that doesn't seem true, so my bad. But even if that was true, the issue reduces down to the fact that there can be dangerous commands or not, and the injection becomes irrelevant. And there already are dangerous commands. See the Jim-TCL command index [1], and in particular exec. So OpenOCD is already an exploit vector and users must trust/check any script they use, making the scripts more a part of OpenOCD than user input. So, while the injection is a non-issue, that discovery (at least to me) is a bit scary. -- Richard Braun [1] http://jim.tcl.tk/fossil/doc/trunk/Tcl_shipped.html#CommandIndex
