Searching for "semicolon injection" bugs in embedded Linux devices

A couple years back, I preordered the Yoggie Pico Pro (tiny little USB security device with an ARM CPU that acts as a firewall, spam filter, anti-virus, etc for your PC) with the intention of breaking it. A couple hours after it arrived on release day, I had code running on it. How? Well, they had a web interface on the device, which allowed you to ping hosts on your network for testing purposes. I noticed they were showing standard busybox ping output, so I tried out the basics: semicolons, ampersands, etc. They seemed to be throwing a null in at the first instance of a semicolon or other special characters, cutting off your command and preventing exploitation. What they <i>didn't</i> replace were backticks. So if the string was "ping %s" and you threw in "`pwd`", you would see "ping: unknown host /path". From here, exploitation is obvious; I got SSH up and running in no time and had a beautiful little ARM Linux box at my disposal. You can see the advisory at <a href="http://secunia.com/advisories/25902" rel="nofollow">http://secunia.com/advisories/25902</a> if you're curious. This was a short project, but it was a whole lot of fun.

Definitely a bug, but don't you have to log in to the administrative interface to access those forms in the first place? On D-Link routers I've played with, that interface was password protected and was the mechanism for uploading new firmware anyway.

In general, I'm surprised that there isn't some sort of printf symbol for a shell-escaped string. Seems like this is something that would have been immensely useful even in the 90's. This would negate the possibility of 'semi-colon injection.'