diff options
author | Michael Boelen <michael.boelen@cisofy.com> | 2019-06-30 20:21:07 +0300 |
---|---|---|
committer | Michael Boelen <michael.boelen@cisofy.com> | 2019-06-30 20:21:07 +0300 |
commit | fdacc00b453b451a6983d6a18819e1158ef32553 (patch) | |
tree | 2d7e9402f096df5df2e6dc3a2a8da6fa7be67ffa /include/binaries | |
parent | 5e4e44bdf3113b6978396f556beb4b4c21a05b78 (diff) |
Security: test PATH and warn or exit on discovery of dangerous location
Diffstat (limited to 'include/binaries')
-rw-r--r-- | include/binaries | 35 |
1 files changed, 28 insertions, 7 deletions
diff --git a/include/binaries b/include/binaries index 33251431..201a07ab 100644 --- a/include/binaries +++ b/include/binaries @@ -42,18 +42,39 @@ Display --indent 2 --text "- Checking system binaries..." LogText "Status: Starting binary scan..." - # Test if our PATH variable provides a set of paths - # If so, reverse the order. If we discover the same binary multiple times, the one first in PATH - # should be used. - # If PATH is empty, we use the predefined list in include/consts. Common paths first, then followed - # by more specific paths. This helps on the slightly ancient UNIX derivatives. + # Notes: + # - If PATH is empty, we use the predefined list in include/consts + # - Common paths first, then followed by more specific paths. This helps on the slightly ancient UNIX derivatives. + # - Avoid sorting the path list, as this might result in incorrect order of finding binaries (e.g. awk binary) + + # Test if our PATH variable provides a set of paths. If so, reverse the order. If we discover the same binary + # multiple times, the one first in PATH should be used. if [ ! -z "${PATH}" ]; then PATH_REVERSED=$(echo ${PATH} | awk -F: '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }') BIN_PATHS=$(echo "${PATH_REVERSED} ${BIN_PATHS}" | tr ':' ' ') fi - # Avoid sorting, as this might result in incorrect order of finding binaries (e.g. awk binary) - #SORTED_BIN_PATHS=$(echo ${BIN_PATHS} | tr ' ' '\n' | sort | uniq | tr '\n' ' ') + # First test available locations that may be suspicious or dangerous + for SCANDIR in ${BIN_PATHS}; do + FOUND=0 + if [ "${SCANDIR}" = "." ]; then FOUND=1; MSG="Found single dot (.) in PATH" + elif [ "${SCANDIR}" = ".." ]; then FOUND=1; MSG="Found double dot (..) in PATH" + elif echo ${SCANDIR} | grep '^\.\.' > /dev/null; then FOUND=1; MSG="Found path starting with double dot (..) in PATH" + elif echo ${SCANDIR} | grep '^[a-zA-Z]' > /dev/null; then FOUND=1; MSG="Found relative path in PATH" + fi + if [ ${FOUND} -eq 1 ]; then + # Stop execution if privileged, otherwise continue but warn user + if [ ${PRIVILEGED} -eq 1 ]; then + ExitFatal "Possible riskful location (${SCANDIR}) in PATH discovered. Quitting..." + else + Display --indent 4 --text "Warning: suspicious location (${SCANDIR}) in PATH" + ReportWarning "${TEST_NO}" "Possible riskful location in PATH discovered" "text:${MSG}" + sleep 1 + fi + fi + done + + # Now perform binary detection for SCANDIR in ${BIN_PATHS}; do LogText "Test: Checking binaries in directory ${SCANDIR}" ORGPATH="" |