Bash Child / Parent Pipe继承漏洞利用

时间:2016-08-25 16:41:45

标签: bash posix exploit 

#!/bin/bash 
ipaddr=${1}
rdlnk=$(readlink /proc/$$/fd/0)
user="" 
passwd=""   
function get_input() {
 if grep -Eq "^pipe:|deleted" <<< "${rdlnk}" || [[ -p "${rdlnk}" ]]; then 
  while IFS= read -r piped_input || break; do 
  [[ -z "${ipaddr}" ]] && ipaddr="${piped_input}" && continue
  [[ -z "${user}" ]]   && user="${piped_input}"   && continue
  [[ -z "${passwd}" ]] && passwd="${piped_input}" && continue  
  done  
 fi 
 echo "Got that IP address you gave me to work on: ${ipaddr}" 
 [[ -n "${user}" ]] && echo "[... and that user: ${user}]" 
 [[ -n "${user}" ]] && echo "[... and that users password: ${passwd}]" 
}
get_input 
exit 0

通常没关系:

$> process_ip.bsh 71.123.123.3
Got that IP address you gave me to work on: 71.123.123.3

但是,将父母置于管道循环中并注意:

$ echo -en "71.123.123.3\nroot\ntoor\n" | while read a; do echo "Parent loop, processing: ${a}"; grep -q '^[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}' <<< "${a}" && ./process_ip.bsh "$a"; done

Parent loop, processing: 71.123.123.3
Got that IP address you gave me to work on: 71.123.123.3
[... and that user: root]
[... and that users password: toor]

哎哟。父母只想从其管道向孩子提供IP地址。假设父级必须在fork到子进程的时候维护一个包含敏感数据的开放管道。如何防止这种情况?

1 个答案:

答案 0 :(得分:0)

与任何其他进程一样,

process_ip.bsh从其父进程继承其标准输入。这一行

rdlnk=$(readlink /proc/$$/fd/0)

并不能完全按照您的想法行事。它仅包含父项用于标准输入的文件的名称,因为脚本从父项继承其标准输入。 ($$是当前shell的进程ID,因为.process_ip.bsh是一个单独的进程,而不仅仅是父进程启动的子shell。)

如果您将输入重定向到process_ip.bsh,则可以完全控制其收到的内容。

while read a; do
    echo "Parent loop, processing: ${a}"
    grep -q '^[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}' <<< "${a}" &&
      ./process_ip.bsh "$a" < /dev/null
done <<EOF
71.123.123.3
root
toor
EOF
相关问题
最新问题