SHC protected shell script is vulnerable
From: UnixFan (gxy1997_at_yahoo.com.au)
Date: 09/18/03
- Previous message: Chris Mattern: "Re: AIX Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 18 Sep 2003 00:05:34 -0700
SHC protected shell scripts are vulnerable to debugging.
SHC does not truly "compile" your script into a binary: the generated binary
still needs the interpreter program to run your original script, so it is
possible that original script can be captured.
The problem is almost every (sh/ksh/csh/bash/tcsh/zsh, etc) shell scripts
(if not all scripts) protected by SHC can be easily captured.
The following is the procedure to capture the original script from SHC
generated program:
Lets assume the original script is written in bash.
1. create a link for the program:
ln -s the-shc-protected-program ./-bash
2. in your ~/.profile, add in following statements:
if [ -f ~/.shc_capture ]
then
rm -f ~/.shc_capture
echo "Now you can attach to $$, press Enter to continue"
read nl
else
touch ~/.shc_capture
fi
3. in terminal 1, run
./-bash whatever-args
4. in terminal 2, run
gdb -p PID
the PID should be the number displayed in terminal 1 in "Now you can attach
to ...."
type "bt" to display the frames.
type "s" here and then press the Enter key in terminal 1.
in terminal 2, type "bt" again, now you should see the #Frame number for
"main ()".
lets assume it's frame number 14.
type "fr 14".
type "info f".
find the Arglist address "Arglist at 0x*******", lets assume it's 0xbfffe6c8.
adding 0xc (decimal number 12) to the above number, now we get 0xbfffe6d4.
type "print (char **)* 0xbfffe6d4".
now you will get a HEX number, lets assume 0xbfffe724.
adding 8 to 0xbfffe724, we get 0xbfffe72c.
type "print (char *)* 0xbfffe72c", now you get another address, lets assume
0xbfffe892.
type "printf "%s", 0xbfffe892".
when you see "---Type <return> to continue, or q <return> to quit---" at the
bottom of the terminal screen, type the Enter key, until you see something
different: that is the original script!!!
So, now you can see, like Cactus' SHELL-LOCK, SHC can not provide adequate
protection for your shell scripts and both of them do not truly compile your
script into binary code, and as such you will not get any performance gain,
instead, performance will be downgraded due to the extra work.
I also tested the just released wzshSDK V4.4, it seems not vulnerable to
temp-watch, and I tried to use the similar method described here to capture the
original script without success.
- Previous message: Chris Mattern: "Re: AIX Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
