All geek questions in one place

What, if any, injection vulnerabilities exist in bash and how can I protect them?

I have a bash script that I run through procmail. Procmail passes into the subject field and from the email as arguments to the bash script. Since these values ​​are not processed in any way, I am trying to find out if there are any vulnerabilities in the area of ​​injections in bash that someone could use, and if so, what can I do to protect them. Here is a sample code illustrating what happens:

#!/bin/bash /usr/sbin/sendmail -t <<EOF From: "myhost Administrator" < admin@myhost.example.com > To: john_doe@gmail.com Subject: An email subject You've received a new email. It has a subject of "$2" It was sent from "$1". EOF

This bash script will be called by procmail with a .procmailrc script as follows:

 :0 * ^From:\s*\/.* { FROM = "$MATCH" } :0 * ^Subject:\s*\/.* { SUBJECT = "$MATCH" } :0 c: * ^To:.*@example.com | /home/john_doe/examplescript.bash "$FROM" "$SUBJECT"

Two areas that I'm interested in regarding injection vulnerabilities are in creating a script:

 /home/john_doe/examplescript.bash "$FROM" "$SUBJECT"

and using variables in the script.

 /usr/sbin/sendmail -t <<EOF From: "myhost Administrator" < admin@myhost.example.com > To: john_doe@gmail.com Subject: An email subject You've received a new email. It has a subject of "$2" It was sent from "$1". EOF

If your curious, here is the actual use case that raised this question in my opinion

+4
source share
3 answers

To avoid injection problems, you can also simply pass all the messages to the address you need through a script that reads the message from stdin and initially analyzes the headers you are interested in.

You can then use the libraries available in the scripting language that you selected to speak SMTP on a locally running mail server.

Thus, there is no execution of the command, and there is no need to worry about the fact that unanimated input is used as arguments for the program.

0
source

I am not a security expert, but injection vulnerabilities exist in any unmanaged user input - especially if you send this source input to system commands that may have privileged access. Always check your input before doing this.

Check $1 and $2 to make sure that they contain only printable characters and have a reasonable length, for example, up to 1000 characters, before sending them to the mail system.

This is not too difficult to do, and it prevents you from getting hit by an unknown exploit.

One of the things I like about Perl is the taint mode, which prevents you from doing such things if you didn't clear the data first.

0
source

The shell script itself is pretty safe. The most vulnerable part of the mail is the header, and you do not allow the sender to change anything in it.

The only way I see in the script is that someone can pass a dot on one line, which will end the mail prematurely. And there may be a case of nesting attachments using uuencode as follows:

 Subject: subject From: sender@example.com To: receiver@example.com text line 1 text line 2 begin 644 file-containing-abc $86)C"G]_ ` end

I am concerned about the line in .procmailrc , since I do not know the citation rules. This may be the point at which an attacker can enter code, so you need to look for rules in the manual and check them to be sure. Some characters you should check are $ , " , \ , newlines.

0
source

Source: https://habr.com/ru/post/1334109/

More articles:


All Articles