Question

Computer Security

Investigate the meaning of all metacharacters used by the Linux/UNIX Bourne shell, which is commonly used by scripts running other commands on such systems. Compare this to that used by other common shells such as BASH or CSH. What does this imply about validation checks used to prevent command injection attacks?

Answer 1

According to Wikipedia, a metacharacters is any character that has a special meaning, such as a carat (^), dollar sign ($) or an asterisk (*).

In terms of Linux, there are a fair number of these metacharacters and their meanings differ depending on which Linux command or program you're running.

----------------------------------------------------------------------------------------------------------------------------------------------------------------

==========================The Full Stop As A Metacharacter (.)====================================

The humble full stop is used to indicate the current position when running commands such as cd, find or sh, but within applications such as awk, grep and sed it's a wildcard used to denote a specific number of any character.

As an example, the following command will find all mp3 files in the current folder and its subfolders.

If you run that command in your present working directory (pwd), you'll probably see results returned, assuming you keep your mp3 files in a music folder within your home folder.

Now look at this command:

The ps command lists all the running processes on your computer. The grep command takes lines of input and searches for a pattern.

Therefore the ps -ef command retrieves a list of running processes. The pipe (|) metacharacter sends that list to the grep command, which searches for any line in the list that contains "f..efox", where the period refers to two of any character.

If you have firefox running, you'll get a match. Similarly, if you have a program called fonefox or freefox running, they'll also be returned.

NOTE :- If you know you only need to search for a single character, instead of using the "." metacharacter, you can use "?". Using "?" refers to any single character either at the beginning or the end of the pattern.

============================The asterisk as a metacharacter (*)=================================

The asterisk is a more universally known metacharacter, and is used to mean zero or more of any character when searching for a pattern.

For example:

The *.mp3 returns a match for any filename that ends in .mp3. Similarly, I could have used the asterisk with the grep command in the last section as follows:

It's worth noting that this differs slightly because the asterisk means zero or more, so as well as finding firefox, facefox and fonefox it can also find flutefox, ferretfox and even just fefox.

===============================The Carat As A Metacharacter (^)==================================

The carat (^) is used to denote the start of a line or a string. So how is it used?

The ls command is used to list all the files in a folder as follows:

If you want to know all the files in a folder which begins with a certain string such as "gnome" then the carat can be used to specify that string.

For example:

Note that this only lists files that start with gnome. If you want files that have a gnome in the filename anywhere then you would revert back to using the asterisk.

In the above example, the ls returns a list of filenames and passes that list to the grep command, which is used for pattern matching. Grep knows that the carat symbol means find anything that starts with the characters that come after it, and in this case, that's "gnome".

================================The Dollar Symbol As A Metacharacter ($)===========================

The dollar symbol can have multiple meanings as a metacharacter within Linux.

When used to match patterns, it means the opposite to carat and denotes any pattern that ends with a particular string.

For example:

This lists all files that end with png.

The dollar symbol is also used to access environment variables within the bash shell.

For example:

The line export dog=molly creates an environment variable called dog and sets its value "molly". To access the environment variable the $ symbol is used. With the $ symbol, the echo $dog statement displays "molly". Without it, the echo dogstatement just displays the word dog.

======================================================================================

Common Metacharacters And Their Meanings

Character	Meaning
.	Any character
*	Zero or more characters
^	Match any line or string which start with a pattern (i.e ^gnome)
$	Match any line or string ending with a pattern (i.e gnome$)
\	Escapes the next character to remove its special meaning
[]	Match one of a list or range (i.e ["abc", "def"] or [1..9]
+	Match one or more preceding (i.e grep a+)
?	Match zero or one preceding

=======================What are the different Shells?=================================

1. The Bourne Shell

The Bourne shell (sh), written by Steve Bourne at AT&T Bell Labs, is the original UNIX shell. It is the preferred shell for shell programming because of its compactness and speed. A Bourne shell drawback is that it lacks features for interactive use, such as the ability to recall previous commands (history). The Bourne shell also lacks built-in arithmetic and logical expression handling.

The Bourne shell is the Solaris OS default shell. It is the standard shell for Solaris system administration scripts. For the Bourne shell the:

• Command full-path name is /bin/sh and /sbin/sh.
• Non-root user default prompt is $.
• Root user default prompt is #.

2. The C Shell

The C shell (csh):

• Is a UNIX enhancement written by Bill Joy at the University of California at Berkeley.
• Incorporated features for interactive use, such as aliases and command history.
• Includes convenient programming features, such as built-in arithmetic and a C-like expression syntax.

For the C shell the:

• Command full-path name is /bin/csh.
• Non-root user default prompt is hostname %.
• Root user default prompt is hostname #.

Here is a short comparison of the all 4 shells and their properties.

Shell	Path	Default Prompt (non-root user)	Default Prompt (Root user)
The Bourne Shell (sh)	/bin/sh and /sbin/sh	$	#
The C Shell (csh)	/bin/csh	%	#
The Korn Shell (ksh)	/bin/ksh	$	#
The GNU Bourne-Again Shell (Bash)	/bin/bash	bash-x.xx$	bash-x.xx#

===========================prevent command injection attacks==================================

Shell feature	USER_INPUT value	Resulting shell command	Explanation
Sequential execution	; malicious_command	/bin/funnytext ; malicious_command	Executes funnytext, then executes malicious_command.
Pipelines	| malicious_command	/bin/funnytext | malicious_command	Sends the output of funnytext as input to malicious_command.
Command substitution	`malicious_command`	/bin/funnytext `malicious_command`	Sends the output of malicious_command as arguments to funnytext.
Command substitution	$(malicious_command)	/bin/funnytext $(malicious_command)	Sends the output of malicious_command as arguments to funnytext.
AND list	&& malicious_command	/bin/funnytext && malicious_command	Executes malicious_command iff funnytext returns an exit status of 0 (success).
OR list	|| malicious_command	/bin/funnytext || malicious_command	Executes malicious_command iff funnytext returns a nonzero exit status (error).
Output redirection	> ~/.bashrc	/bin/funnytext > ~/.bashrc	Overwrites the contents the .bashrc file with the output of funnytext.
Input redirection	< ~/.bashrc	/bin/funnytext < ~/.bashrc	Sends the contents of the .bashrc file as input to funnytext.

======================================Shell injection==========================================   

Shell injection (or command injection[16]) is named after Unix shells, but applies to most systems which allow software to programmatically execute a command line. Here is an example vulnerable tcsh script:

#!/bin/tcsh
# check arg outputs it matches if arg is one
if ($1 == 1) echo it matches

If the above is stored in the executable file ./check, the shell command ./check " 1 ) evil" will attempt to execute the injected shell command evil instead of comparing the argument with the constant one. Here, the code under attack is the code that is trying to check the parameter, the very code that might have been trying to validate the parameter in order to defend against an attack.[17]

Any function that can be used to compose and run a shell command is a potential vehicle for launching a shell injection attack. Among these are system(), StartProcess(), and System.Diagnostics.Process.Start().