Shells and Security
The main problem with launching shells is that attackers might execute
shell commands riding on the system() or popen() function calls. An
attacker could include special metacharacters and flags in the command
string being passed to the shell for execution. (A metacharacter is a
sequence of one or more characters that the shell interprets as a
directive with a special meaning.)
For example, the bash, csh, and ksh shells treat the symbol >> as an
instruction to append output to a file; or the symbol ; is construed as
a command separator, which allows grouping of several commands in one
line. Allowing users to compose a command string that may contain
metacharacters is highly dangerous. Even running the shell under an
account with limited privileges, users can still collect sensitive
information by listing files in the current directory or exploring
network configuration as they pass the following string to a shell. For
example:
ls;finger
Another issue of concern is the ability to manipulate the Input Field
Separator (IFS) and environment variables such as $HOME and $PATH to
launch malicious programs. Finally, attackers can exploit the infamous
buffer overflow bug, which we discussed several weeks ago, by typing a
very long string.
How can you minimize the risks involved in launching shells from a
program?
* Don't use system() and popen() in any program or script publicly
accessible on your Web host;
* It's strongly advised that you don't use these functions in SGID
and SUID programs and scripts;
* Limit the length of an input string so that it doesn't cause a
buffer overflow;
* Screen the input string and remove any metacharacters from it
before you pass it to system() or popen().
Remember, in most cases you can give users the ability to make their
selection from menus, check boxes, radio lists, etc..., and let your
program compose a safe command string instead accepting an input string
directly from a user.
» posted by ITworld staff
ITworld
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
VMware ESX Server in the Enterprise
By Edward L. Haletky
Published Dec 29, 2007 by Prentice Hall.
Enter now! | Official rules | Sample chapter
Green IT
By Toby Velte, Anthony Velte, Robert C. Elsenpeter
To be published Oct. 10, 2008 by McGraw Hill Professional
Enter now! | Official rules | About the book
