Shells and Security

The main problem with launching shells is that attackers might execute

shell commands riding on the system() or popen() function calls. An

attacker could include special metacharacters and flags in the command

string being passed to the shell for execution. (A metacharacter is a

sequence of one or more characters that the shell interprets as a

directive with a special meaning.)

For example, the bash, csh, and ksh shells treat the symbol >> as an

instruction to append output to a file; or the symbol ; is construed as

a command separator, which allows grouping of several commands in one

line. Allowing users to compose a command string that may contain

metacharacters is highly dangerous. Even running the shell under an

account with limited privileges, users can still collect sensitive

information by listing files in the current directory or exploring

network configuration as they pass the following string to a shell. For

example:

ls;finger

Another issue of concern is the ability to manipulate the Input Field

Separator (IFS) and environment variables such as $HOME and $PATH to

launch malicious programs. Finally, attackers can exploit the infamous

buffer overflow bug, which we discussed several weeks ago, by typing a

very long string.

How can you minimize the risks involved in launching shells from a

program?

* Don't use system() and popen() in any program or script publicly

accessible on your Web host;

* It's strongly advised that you don't use these functions in SGID

and SUID programs and scripts;

* Limit the length of an input string so that it doesn't cause a

buffer overflow;

* Screen the input string and remove any metacharacters from it

before you pass it to system() or popen().

Remember, in most cases you can give users the ability to make their

selection from menus, check boxes, radio lists, etc..., and let your

program compose a safe command string instead accepting an input string

directly from a user.

Top 10 Hot Internet of Things Startups
Join the discussion
Be the first to comment on this article. Our Commenting Policies