MobileRead Forums - View Single Post

elinkser · 04-25-2023, 04:13 PM

IMPROVE SECURITY OF SHELL SCRIPT PROCESSING OF USER INPUT:

It is unlikely that our Kobo device will be made "secure" by improving the security of the shell script alone, but why not at least make an honest attempt to minimize the vulnerability?

We can get some idea of the nature of the threat from:
https://portswigger.net/web-security...mand-injection

Ways of injecting OS commands

A variety of shell metacharacters can be used to perform OS command injection attacks.
A number of characters function as command separators, allowing commands to be chained together. The following command separators work on both Windows and Unix-based systems:

& && | ||

The following command separators work only on Unix-based systems:

; Newline (0x0a or \n)

On Unix-based systems, you can also use backticks or the dollar character to perform inline execution of an injected command within the original command:

`injected command`
$(injected command)

How to prevent OS command injection attacks

By far the most effective way to prevent OS command injection vulnerabilities is to never call out to OS commands from application-layer code. In virtually every case, there are alternate ways of implementing the required functionality using safer platform APIs.

If it is considered unavoidable to call out to OS commands with user-supplied input, then strong input validation must be performed. Some examples of effective validation include:

Validating against a whitelist of permitted values.
Validating that the input is a number.
Validating that the input contains only alphanumeric characters, no other syntax or whitespace.

Never attempt to sanitize input by escaping shell metacharacters. In practice, this is just too error-prone and vulnerable to being bypassed by a skilled attacker.

We get an example of validating input from:
https://www.fosslinux.com/101589/bas...rabilities.htm

For example, let’s say you have a Bash script that prompts the user to enter a filename and then performs some operation on that file. To sanitize the user input and prevent potential code injection attacks, you could use the following code to validate the input:

#!/bin/bash

# Prompt the user for a filename
read -p "Enter the filename: " filename

# Sanitize the input using a regular expression
if [[ $filename =~ ^[a-zA-Z0-9_./-]+$ ]]; then
# The input is valid, perform some operation on the file
echo "Performing operation on file: $filename"
else
# The input is invalid, exit the script with an error message
echo "Invalid filename: $filename"
exit 1
fi

In this example, the regular expression ^[a-zA-Z0-9_./-]+$ is used to match only alphanumeric characters, underscores, slashes, dots, and hyphens. This allows the user to enter filenames with standard characters without allowing any special characters that could be used to inject malicious code into the script.

***
In our vncNexus.sh script from the previous post, we can sanitize the fourthOctet variable with:

if [[ $fourthOctet =~ ^[0-9]+$ ]]; then
echo "$fourthOctet is numeric"
else
$fourthOctet = "invalid"
fi

We also need to do string-to-integer conversions (and back) for bounds checking:
https://stackoverflow.com/questions/...back-to-string

***
In our vncNexus.sh script, we can thus process the fourthOctet variable for bounds-checking with:

num=$((fourthOctet))
if [[ $num -ge 0 ] && [ $num -le 255 ]]
then
break
fi

Putting it all together in a new more secure script vncNexus2.sh
(removed printf, added error msg)

************

#!/bin/sh
# vncNexus2 connect address - more secure version

num=256
while [ $(expr "$num") -lt 0 ] || [ $(expr "$num") -gt 255 ]
do
qndb -m dlgConfirmCreate true
qndb -m dlgConfirmSetTitle "Enter VNC address fourth octet (0-255):"
qndb -m dlgConfirmSetLEPlaceholder "einkvnc2 192.168.43.fourthOctet"
qndb -m dlgConfirmShow
result=$(qndb -s dlgConfirmTextInput)
fourthOctet=$(echo $result | sed 's/dlgConfirmTextInput //')
num=$(echo $fourthOctet | sed 's/[^0-9]//g')
num=${num:-256}
if [ "$num" != "$fourthOctet" ]
then
num=256
fi
done

pwlen=33
while [ $(expr "$pwlen") -lt 6 ] || [ $(expr "$pwlen") -gt 32 ]
do
qndb -m dlgConfirmCreate true
qndb -m dlgConfirmSetTitle "Enter VNC password (6-32 alphanumeric characters):"
qndb -m dlgConfirmSetLEPlaceholder "abcdefg123"
qndb -m dlgConfirmShow
result=$(qndb -s dlgConfirmTextInput)
mypw=$(echo $result | sed 's/dlgConfirmTextInput //')
vncpw=$(echo $mypw | sed 's/[^A-Za-z0-9]//g')
vncpw=${vncpw:-0}
pwlen=$(expr "$vncpw" : "$vncpw")
done

vnccmd="/mnt/onboard/alpinex/einkvnc2 192.168.43.$num 5900 --password $vncpw --contrast 2"
qndb -m mwcToast 3000 "$vnccmd"
vncerr=$($vnccmd 2>&1)
qndb -m mwcToast 3000 "${vncerr:-"Bye!"}"

************

04-25-2023, 04:13 PM	#21
elinkser Addict Posts: 242 Karma: 146236 Join Date: Oct 2022 Device: Kobo Clara HD	IMPROVE SECURITY OF SHELL SCRIPT PROCESSING OF USER INPUT: IMPROVE SECURITY OF SHELL SCRIPT PROCESSING OF USER INPUT: It is unlikely that our Kobo device will be made "secure" by improving the security of the shell script alone, but why not at least make an honest attempt to minimize the vulnerability? We can get some idea of the nature of the threat from: https://portswigger.net/web-security...mand-injection Ways of injecting OS commands A variety of shell metacharacters can be used to perform OS command injection attacks. A number of characters function as command separators, allowing commands to be chained together. The following command separators work on both Windows and Unix-based systems: & && \| \|\| The following command separators work only on Unix-based systems: ; Newline (0x0a or \n) On Unix-based systems, you can also use backticks or the dollar character to perform inline execution of an injected command within the original command: `injected command` $(injected command) How to prevent OS command injection attacks By far the most effective way to prevent OS command injection vulnerabilities is to never call out to OS commands from application-layer code. In virtually every case, there are alternate ways of implementing the required functionality using safer platform APIs. If it is considered unavoidable to call out to OS commands with user-supplied input, then strong input validation must be performed. Some examples of effective validation include: Validating against a whitelist of permitted values. Validating that the input is a number. Validating that the input contains only alphanumeric characters, no other syntax or whitespace. Never attempt to sanitize input by escaping shell metacharacters. In practice, this is just too error-prone and vulnerable to being bypassed by a skilled attacker. We get an example of validating input from: https://www.fosslinux.com/101589/bas...rabilities.htm For example, let’s say you have a Bash script that prompts the user to enter a filename and then performs some operation on that file. To sanitize the user input and prevent potential code injection attacks, you could use the following code to validate the input: #!/bin/bash # Prompt the user for a filename read -p "Enter the filename: " filename # Sanitize the input using a regular expression if [[ $filename =~ ^[a-zA-Z0-9_./-]+$ ]]; then # The input is valid, perform some operation on the file echo "Performing operation on file: $filename" else # The input is invalid, exit the script with an error message echo "Invalid filename: $filename" exit 1 fi In this example, the regular expression ^[a-zA-Z0-9_./-]+$ is used to match only alphanumeric characters, underscores, slashes, dots, and hyphens. This allows the user to enter filenames with standard characters without allowing any special characters that could be used to inject malicious code into the script. * In our vncNexus.sh script from the previous post, we can sanitize the fourthOctet variable with: if [[ $fourthOctet =~ ^[0-9]+$ ]]; then echo "$fourthOctet is numeric" else $fourthOctet = "invalid" fi We also need to do string-to-integer conversions (and back) for bounds checking: https://stackoverflow.com/questions/...back-to-string * In our vncNexus.sh script, we can thus process the fourthOctet variable for bounds-checking with: num=$((fourthOctet)) if [[ $num -ge 0 ] && [ $num -le 255 ]] then break fi Putting it all together in a new more secure script vncNexus2.sh (removed printf, added error msg) ********** #!/bin/sh # vncNexus2 connect address - more secure version num=256 while [ $(expr "$num") -lt 0 ] \|\| [ $(expr "$num") -gt 255 ] do qndb -m dlgConfirmCreate true qndb -m dlgConfirmSetTitle "Enter VNC address fourth octet (0-255):" qndb -m dlgConfirmSetLEPlaceholder "einkvnc2 192.168.43.fourthOctet" qndb -m dlgConfirmShow result=$(qndb -s dlgConfirmTextInput) fourthOctet=$(echo $result \| sed 's/dlgConfirmTextInput //') num=$(echo $fourthOctet \| sed 's/[^0-9]//g') num=${num:-256} if [ "$num" != "$fourthOctet" ] then num=256 fi done pwlen=33 while [ $(expr "$pwlen") -lt 6 ] \|\| [ $(expr "$pwlen") -gt 32 ] do qndb -m dlgConfirmCreate true qndb -m dlgConfirmSetTitle "Enter VNC password (6-32 alphanumeric characters):" qndb -m dlgConfirmSetLEPlaceholder "abcdefg123" qndb -m dlgConfirmShow result=$(qndb -s dlgConfirmTextInput) mypw=$(echo $result \| sed 's/dlgConfirmTextInput //') vncpw=$(echo $mypw \| sed 's/[^A-Za-z0-9]//g') vncpw=${vncpw:-0} pwlen=$(expr "$vncpw" : "$vncpw") done vnccmd="/mnt/onboard/alpinex/einkvnc2 192.168.43.$num 5900 --password $vncpw --contrast 2" qndb -m mwcToast 3000 "$vnccmd" vncerr=$($vnccmd 2>&1) qndb -m mwcToast 3000 "${vncerr:-"Bye!"}" ********** Last edited by elinkser; 06-01-2023 at 09:08 PM. Reason: removed printf, added error msg