Enter sanitization bypassed
When the Rapid7 researchers seemed on the patches, they seen some sanitization being added to a price known as $gskey which was being handed to a script known as $ingrediRoot/app/dbquote through the echo command.
“The change in how the $gskey worth is handed to the echo command is a traditional argument injection subject,” the researchers wrote. “In a shell script, when passing an unquoted variable to a command, the shell will cross the contents of the worth to the command as particular person arguments to the command, as parsed by the shell. If the worth is wrapped in double quotes, the shell will cross all the worth as a single argument to the command.”
However the BeyondTrust advisory mentioned that exploiting this vulnerability “can enable an unauthenticated distant attacker to execute underlying working system instructions throughout the context of the location consumer.” And the argument injection by itself shouldn’t be attaining that, so the researchers needed to maintain digging.
