Vulnerability Development mailing list archives
Re: shell script cgi (summary?)
From: Brian Hatch <vuln-dev () ifokr org>
Date: Mon, 18 Nov 2002 17:51:06 -0800
Thanks to everyone who replied regarding my attempts to stuff shell commands into this line:ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"`The summary is that no matter what time of " ' ` characters, shell commands, or termination or escape characters I tried to put into the $HTTP_USER_AGENT field I can't get it to execute commands. It's a surprisingly resilient line of code, most likely due to the "s around the $HTTP_USER_AGENT variable. I wouldn't call this type of programming "safe", but it's not *nearly* as bad as I thought at first.
I don't know what bad vibes you're getting here. You call it 'suprisingly resilient' and 'not nearly as bad' as you thought. But the fact is it's acting exactly the way it should and is in no way exploitable. It's not just "not nearly as bad" - it's rock solid. This doesn't mean it's pretty or elegant, but it's the only real way to do it in shell. Yes, we could easily write better versions if this were in Perl or C, avoiding any external system() like calls. But this simply works fine.
The $ua variable is not ever used again so there's no other opportunity to exploit it.
This is the crucial point though. The line above cannot be exploited. But if $ua were used somewhere else, the result of the line above may be abused in later uses of the variable.
.. it's a very useless line of code which should be removed anyway--it just looks very exploitable (and may be by someone out there ;).
I will go so far as to say that the "ua=..." assignment above *cannot* and will not every be exploitable on a Bourne shell variant that acts properly and isn't broken itself. This isn't an issue of timeline. You can't break that line of shell. -- Brian Hatch #define QUESTION \ Systems and ((bb) || !(bb)) Security Engineer http://www.ifokr.org/bri/ Every message PGP signed
Attachment:
_bin
Description:
Current thread:
- shell script cgi c jones (Nov 14)
- Re: shell script cgi Brian Hatch (Nov 14)
- Re: shell script cgi c jones (Nov 15)
- Re: shell script cgi Philip Rowlands (Nov 16)
- Re: shell script cgi Nick Jacobsen (Nov 16)
- Re: shell script cgi Ed Schmollinger (Nov 17)
- Re: shell script cgi (summary?) c jones (Nov 18)
- Re: shell script cgi (summary?) Brian Fury (Nov 19)
- Re: shell script cgi (summary?) Andre Breiler (Nov 20)
- Re: shell script cgi (summary?) Philip Rowlands (Nov 20)
- Re: shell script cgi (summary?) Brian Hatch (Nov 19)
- Re: shell script cgi Nick Jacobsen (Nov 16)
- Re: shell script cgi Brian Hatch (Nov 14)
- Re: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi mlh (Nov 18)
- <Possible follow-ups>
- RE: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi Brian Hatch (Nov 16)
- Re: shell script cgi Ralf Dreibrodt (Nov 17)
- Re: shell script cgi mlh (Nov 18)
- Re: shell script cgi Brian Hatch (Nov 16)