Everyone loves shell scripts! No wonder then that in most of the Linux-based security products, shell scripts are heavily used. Most of the times, they are easy to develop as compared to C/C++ programs as there is no compilation headache and they are easy to prototype.
However, apart from having endless applications, shell scripts have many hidden dangers in the context of security – it is often overlooked when writing shell scripts.
For example, consider a shell script, which simply uses the ping command to check connectivity between two hosts.
ping –c1 “$1”
In this use case, $1 is an input that might be derived from some CGI or some other script. If an input is not properly validated, a hacker can easily exploit the command substitution.
ping –c1 “18.104.22.168 && command”
In this example, a shell script will treat arguments passed to ping as a separate command when executing. However, there are several other ways to achieve this command substitution.
ping –c1 “22.214.171.124`command`”
ping –c1 126.96.36.199|command
ping –c1 188.8.131.52; command
In most of the gateway-level security products such as Unified Threat Management (UTM), firewalls provide portals for the end-users. Portals facilitate many services including remote access tool download, retrieval of quarantined emails, change of user preferences, and so on.
These services expect some form of user inputs and may invoke a shell script in the backend of the software product.
Due to such exploits, an attacker can gain root permission with remote command execution on a vulnerable device by sending malicious inputs. Once a vulnerable device is accessed, an attacker can jump in the network of an organization.
Although user inputs are validated most of the times, there is always a possibility that some validations may be missing time and again.
This command substitution attack is also known as ‘Pre-Authentication Remote Command Execution’ as an attacker can run this exploit without any valid credentials.
Very recently this flaw was discovered in a firewall appliance of a reputed brand.
In Seqrite UTM, we explicitly focus on such areas during development so that devices are not vulnerable to such common exploits.
Following are some guidelines for writing secure shell scripts:
- Use absolute or relative paths for commands used in scripts.
- Set correct values of PATH variable in scripts.
- Use proper quoting for variables passed as arguments.