Shells and Security

by Danny Kalev

December 11, 2001 —

The main problem with launching shells is that attackers might execute
shell commands riding on the system() or popen() function calls. An
attacker could include special metacharacters and flags in the command
string being passed to the shell for execution. (A metacharacter is a
sequence of one or more characters that the shell interprets as a
directive with a special meaning.)

For example, the bash, csh, and ksh shells treat the symbol >> as an
instruction to append output to a file; or the symbol ; is construed as
a command separator, which allows grouping of several commands in one
line. Allowing users to compose a command string that may contain
metacharacters is highly dangerous. Even running the shell under an
account with limited privileges, users can still collect sensitive
information by listing files in the current directory or exploring
network configuration as they pass the following string to a shell. For
example:

ls;finger

Another issue of concern is the ability to manipulate the Input Field
Separator (IFS) and environment variables such as $HOME and $PATH to
launch malicious programs. Finally, attackers can exploit the infamous
buffer overflow bug, which we discussed several weeks ago, by typing a
very long string.

How can you minimize the risks involved in launching shells from a
program?

* Don't use system() and popen() in any program or script publicly
accessible on your Web host;
* It's strongly advised that you don't use these functions in SGID
and SUID programs and scripts;
* Limit the length of an input string so that it doesn't cause a
buffer overflow;
* Screen the input string and remove any metacharacters from it
before you pass it to system() or popen().

Remember, in most cases you can give users the ability to make their
selection from menus, check boxes, radio lists, etc..., and let your
program compose a safe command string instead accepting an input string
directly from a user.

ITworld