3

I have recently found out that a server I am working on has an xinetd service that is in fact a shell script that calls another shell script with arguments retrieved via respective network connections.

It does something like this:

 /execute/another/script $WITH $A $FEW $ARGUMENTS

What makes me afraid this is a real problem is the fact that the variables are not sanitized in any way and since this is executed as root it's something to be taken seriously.

Could someone please advise? I would also be curious to find out how one can abuse variables in such situations in order to have something else executed, can someone provide examples?

Improve this question
2
  • 3
    Bad juju. Don't do it. Commented Oct 16, 2011 at 4:52
  • 1
    Why not wrap it with server = su -u correctUser "/path/to/wrapper" Commented Jan 8, 2012 at 23:50

2 Answers 2

Reset to default
2

I can see two types of attacks. One against script itself, by calling it with data that can give elevated privileges. The other one against bash, by using a buffer overflow or other bash bugs. One issue is that bash was not designed to have a good security for this kind of attacks, because it expects that the input is feed by the same person as the one who started it.

At the minimum I would update the bash script to be able to run as a normal user and use sudo or other Unix mechanism for the things that requires elevated privileges.

Improve this answer
1

How about this?

export ARGUMENTS='ValidArg&mkdir /var/tmp/hello_there'
Improve this answer
1
  • That doesn't seem to work; `ARGUMENTS='ValidArg&mkdir /var/tmp/hello_there'; ls $ARGUMENTS' Commented Oct 16, 2011 at 16:43

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.