Re: shell script cgi (summary?)

[Brian Hatch <vuln-dev () ifokr org>]

> Thanks to everyone who replied regarding my attempts
> to stuff shell commands into this line:
>
> > ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"`
>
> The summary is that no matter what time of " ' `
> characters, shell commands, or termination or escape
> characters I tried to put into the $HTTP_USER_AGENT
> field I can't get it to execute commands.  It's a
> surprisingly resilient line of code, most likely due
> to the "s around the $HTTP_USER_AGENT variable. I
> wouldn't call this type of programming "safe", but
> it's not *nearly* as bad as I thought at first.

I don't know what bad vibes you're getting here.
You call it 'suprisingly resilient' and 'not
nearly as bad' as you thought.  But the fact is
it's acting exactly the way it should and is in
no way exploitable.  It's not just "not nearly as
bad" - it's rock solid.

This doesn't mean it's pretty or elegant, but it's the
only real way to do it in shell.  Yes, we could easily
write better versions if this were in Perl or C, avoiding
any external system() like calls.  But this simply
works fine.

> The $ua variable is not ever used again so there's no
> other opportunity to exploit it.

This is the crucial point though.  The line above cannot
be exploited.  But if $ua were used somewhere else, the
result of the line above may be abused in later uses
of the variable.

> .. it's a very useless
> line of code which should be removed anyway--it just
> looks very exploitable (and may be by someone out
> there ;).

I will go so far as to say that the "ua=..." assignment
above *cannot* and will not every be exploitable on a
Bourne shell variant that acts properly and isn't broken
itself.  This isn't an issue of timeline.  You can't break
that line of shell.



--
Brian Hatch                  #define QUESTION \
   Systems and                  ((bb) || !(bb))
   Security Engineer
http://www.ifokr.org/bri/

Every message PGP signed

Attachment: _bin
Description: