Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Poor Punctuation Can Break Windows

Posted by timothy on from the no-os-is-immune-to-error-or-malice dept.

An anonymous reader writes with a report at Ars Technica about how a small bug can lead to a security problem. In this case, the problem is that quotation marks — or the lack of them — can be significant. From the Ars article: "The scenario... requires a 'standard' user with access rights to create a directory to a fileserver and an administrator executing a vulnerable script," Frank Lycops and Raf Cox, security researchers with The Security Factory, said in an e-mail interview. "This allows the attacker to gain the privileges of the user running the script, thus becoming an administrator." While the attack falls short of the severity of the Shellshock family of Linux shell vulnerabilities, the two researchers stressed that it's a good example of how untrusted input can be used to execute commands on a system. The researchers identified at least one popular script with the vulnerability. When the script attempts to set the starting directory for system administration work, it inadvertently runs the command appended to the malicious directory's name as well. ... The solution is to use proper coding practices—in this case, the judicious use of quotation marks. Quotation marks are used in the shell environment to make sure that the data inside the quotes is not interpreted by the program as a command.

5 of 94 comments (clear)

  1. Re:Problematic for Linux too by bruce_the_loon · · Score: 3, Insightful

    At least you can diagnose and fix issues with shell scripts with vi and a bit of knowledge. Try that with a binary blob that stores its data in a binary store.

    --
    Trying to become famous by taking photos. Visit my homepage please.
  2. Re:Shellshock is way worse by BronsCon · · Score: 5, Insightful

    On the other hand you could do much worse on Linux using Bash to remotely gain control to a system with no administrator action required.

    ... but it was patched in under a week. The sysadmins who haven't applied the patches (which didn't require a reboot, or even so much as reloading the shell after installation) are the same ones who run Windows boxes so far behind on patches they're still remotely exploitable, too. Hell, they probably run Apache on Cygwin on Windows and never patched that, making their Windows box vulnerable to Shellshock. That's possible because, guess what, Bash isn't Linux and, in fact, predates Linux; Bash runs on *every* OS. Yes, even the iPhone can run Bash if you jailbreak it.

    For the record, Yahoo, running FreeBSD, was compromised via Shellshock. Apple's Darwin kernel, which both OSX and iOS run on top of, was forked from the very same kernel Yahoo's servers run, and yes, OSX Yosemite is still waiting for a patch for Heartbleed, which means I have to keep a large number of services I'd like to be running disabled for the time being. My Linux servers, though, were all patched within hours; when an alternate exploit was found, they were once again patched in hours. I'm not even sure the Windows POSIX layers have released patched builds yet, so at this point Windows systems are more vulnerable to this than anything other production system (Yodsemite is still in beta, remember); fortunately, I don't run a POSIX layer on my Windows dev box.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  3. Quotes by sqlrob · · Score: 5, Insightful

    Quotation marks are used in the shell environment to make sure that the data inside the quotes is not interpreted by the program as a command.

    Except in the cases it triggers the exploit. IMHO, that's the newsworthy bit of this.

    Not quoting causes issues is news along the same level as "water is wet". Trying to be secure and breaking things? That's big. At least it's not possible with filenames.

  4. Re:Problematic for Linux too by TechyImmigrant · · Score: 1, Insightful

    At least you can diagnose and fix issues with shell scripts with vi and a bit of knowledge. Try that with a binary blob that stores its data in a binary store.

    Well with the source code of the binary blob, you could diagnose and fix issues with vi and a bit of knowledge.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  5. Re:Yawn by nmb3000 · · Score: 4, Insightful

    While this article did kinda make me roll my eyes, it's not quite as simple as that.

    The basic idea they're saying is that if a user can create a directory with an arbitrary name (which is normal for a file-server), and that later on an Admin runs a maintenance script which doesn't quote input correctly, arbitrary user commands can be executed with administrative permissions.

    So user does:

    D:\Users\b\bob123> md "Foo&evil_command"

    Days, weeks, months later, an admin decides to run a cleanup/repoting batch file that was written in 1996:

    D:\Users> C:\Scripts\cleanup.bat

    If the script descends into the filesystem and somewhere in that script is the line: SET CurDir=%CD%, then the effective command SET CurDir=Foo&evil_command is executed.

    The end result is that evil_command is invoked by the admin. If the admin is a domain admin and that command happened to be net localgroup "Domain Admins" domain\bob123 /domain, then bob has just been added to the Domain Admins group.

    It's an absurdly tiny problem compared to the Bash shell exploit, but it is in fact a violation of security boundaries. Raymond's airtight hatchway stories are when no boundary has been crossed.

    --
    "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
    /)