Logo - Pure Storage
Blog Home

Example payload in remote config:

$ ./dconfig fetch Error: 401 Unauthorized But maybe the server accepts any non-empty token:

Flag obtained. If dconfig supports variable substitution in values, test with:

$ file dconfig dconfig: ELF 64-bit executable $ ./dconfig --help Usage: dconfig [OPTIONS] COMMAND Commands: fetch Retrieve config from remote source apply Apply config to local environment validate Check config syntax

$ export DCONFIG_TOKEN=test $ ./dconfig fetch

value: .Env.SECRET You might be able to read system files or environment variables of the dconfig process itself. The apply command might write to protected files (e.g., /etc/profile.d/ , .bashrc , or systemd units). If you control the remote config, you can inject malicious commands.

$ ls -la -rw-r--r-- 1 user user 124 .dconfig.yaml -rwxr-xr-x 1 user user 2.1M dconfig Sample config:

Dconfig 2 Now

Example payload in remote config:

$ ./dconfig fetch Error: 401 Unauthorized But maybe the server accepts any non-empty token: dconfig 2

Flag obtained. If dconfig supports variable substitution in values, test with: Example payload in remote config: $

$ file dconfig dconfig: ELF 64-bit executable $ ./dconfig --help Usage: dconfig [OPTIONS] COMMAND Commands: fetch Retrieve config from remote source apply Apply config to local environment validate Check config syntax If you control the remote config, you can

$ export DCONFIG_TOKEN=test $ ./dconfig fetch

value: .Env.SECRET You might be able to read system files or environment variables of the dconfig process itself. The apply command might write to protected files (e.g., /etc/profile.d/ , .bashrc , or systemd units). If you control the remote config, you can inject malicious commands.

$ ls -la -rw-r--r-- 1 user user 124 .dconfig.yaml -rwxr-xr-x 1 user user 2.1M dconfig Sample config:

Top Stories