3

I have recently found out that a server I am working on has an xinetd service that is in fact a shell script that calls another shell script with arguments retrieved via respective network connections.

It does something like this:

    /execute/another/script $WITH $A $FEW $ARGUMENTS

What makes me afraid this is a real problem is the fact that the variables are not sanitized in any way and since this is executed as root it's something to be taken seriously.

Could someone please advise? I would also be curious to find out how one can abuse variables in such situations in order to have something else executed, can someone provide examples?

Starfish
  • 2,716
  • 24
  • 28
remote
  • 31
  • 4

2 Answers2

2

I can see two types of attacks. One against script itself, by calling it with data that can give elevated privileges. The other one against bash, by using a buffer overflow or other bash bugs. One issue is that bash was not designed to have a good security for this kind of attacks, because it expects that the input is feed by the same person as the one who started it.

At the minimum I would update the bash script to be able to run as a normal user and use sudo or other Unix mechanism for the things that requires elevated privileges.

Mircea Vutcovici
  • 16,706
  • 4
  • 52
  • 80
1

How about this?

export ARGUMENTS='ValidArg&mkdir /var/tmp/hello_there'
user314104
  • 136
  • 2
  • That doesn't seem to work; `ARGUMENTS='ValidArg&mkdir /var/tmp/hello_there'; ls $ARGUMENTS' – remote Oct 16 '11 at 16:43