Checking this awk print is not vulnerable to code injection

Question

There are awk (BusyBox v1.26.2 awk) statements to parse /proc/cmdline before passing an IP address to a program. And I can't change them.

/bin/t `awk 'BEGIN{FS="ip="}{print $2}' /proc/cmdline | awk 'BEGIN{FS=":"}{print $2}'`

So that the ip=192.168.0.1:192.168.0.2:xxx:xxx:xxxx in /proc/cmdline will print 192.168.0.2 as the argument to /bin/t

I'm not too familiar with awk, but I think this is safe and attempt to inject something that will be a security problem (e.g. $(reboot), 0.0.0.0`reboot` etc) will fail. (/bin/t has it's own checks on command line arguments passed to it).

In this case an attacker has control of uboot bootargs variable and hence can control the ip= line in /proc/cmdline.

I'd like the reassurance of awk experts this isn't injectable if possible.

Many thanks.

Note for clarification: Is there anything I can put in /proc/cmdline that results in shell execution?

Answer 1

Nothing to do with awk but your command isn't safe because you aren't quoting the argument to t so the shell will evaluate it. Try echo `echo '*'` vs echo "`echo '*'`" . Your awk commands pipleine could be reduced too and you should be using $(...) instead of backticks. This should be safe as well as concise, efficient, and robust:

/bin/t "$(awk 'BEGIN{FS="ip=|:"}{print $2}' /proc/cmdline)"