Again,
No. You can sent it, but it won't be executed by kannel. It will be passed
on as an argument to your script. What your script does with it is your own
responsibility. Kannel is not IE.
If you choose to "execute" instead of sending your arguments, it's nobody's
fault.
BR,
Nikos
----- Original Message -----
From: "Iain Dooley" <i...@workingsoftware.com.au>
Cc: <users@kannel.org>
Sent: Sunday, December 14, 2008 6:53 AM
Subject: Re: Is kannel's "exec" receiver method insecure?
wouldn't it be possible to send in an SMS that had:
"here is the content of my sms; echo "SOME MALICIOUS CODE" > /tmp/"
for example to poison a web server's session cache?
or are the arguments escaped for shell args prior to exec being called?
cheers
iain
On Sun, 14 Dec 2008, Nikos Balkanas wrote:
Dear shaded,
I cannot give you the example that you request, except to show you that
your fears are unfounded:
1) kannel runs as a different user (i.e. kannel). No root access.
2) Unless the someprogram.sh is:
#!/bin/bash
exec $3
you have nothing to worry about. But in this case your script is
responsible, not?? A script like:
#!/bin/bash
echo "$1 $2 $3"
cannot do any harm under any circumstances. Of course it doesn' do
anything useful either. You just need to send $1 $2 $3, not exeute them.
If a C executable is involved you just have to watch for buffer overuns
in the argument list. Your responsibility again, right? Therefore no harm
in sending a message like "rm -rf *".
3) Your script is only locally accessible, i.e. you have to have local
access to your server, or through kannel. And kannel usage is logged,
accounted and billed for. So no DOS sendsms either. Just make sure that
you set the right permissions (100) to the script w/ owner kannel.
4) You cannot buffer overun kannel with a very long $3. It is not using
strcpy. Just malloc. Try it if you wish.
In conclusion responsibility is up to you and the script you provide. Now
if someone cracks your server and replaces your script w/ something bad
(he needs kannel access to do it), you could get into all sorts of
trouble that kannel could cause. But if the cracker has already kannel
access, why bother with the script? He can already cause all the harm by
himself.
BR,
Nikos
----- Original Message ----- From: "shaded 4" <shad...@gmail.com>
To: <users@kannel.org>
Sent: Sunday, December 14, 2008 5:12 AM
Subject: Is kannel's "exec" receiver method insecure?
When kannel receives an SMS message from a mobile phone,
as far as I know it can do one of four things:
a) Give back a simple text response.
b) Give back the contents of a file.
c) Fetch a URL.
d) Execute a given shell command/script.
I really want to use d) for the flexibility offered, but
is there *any* way to use d) completely securely? Can someone
show an example of an "exec" line where it is impossible
for someone that to craft an evil SMS message that
could execute dangerous commands on my system?
The kannel user guide of course gives this warning:
BEWARE: You may harm your system if you use this
sms-service type without serious caution! Make sure
anyone who is allowed to use these kind of services
is checked using white/black-list mechanisms for
security reasons.
But I wish it would show an example of safe usage
(if it exists).
For example, my sms-service group might have an obvious
'exec' entry like this:
group = sms-service
keyword = whatever
exec = "someprogram.sh %p %P %r"
(where %r is of course most of the SMS message),
I would think that someone could send a malicious SMS message
like this for example:
; rm -rf *
or any arbitrary other command.
The only "saving grace" appears to be that kannel seems
to automatically URL-encode many of the characters in the above
parameters like %r, and replaces spaces with '+" .
So for example, the above "; rm -rf *" actually gets changed by
kannel to
%3B+rm+-rf+*
which reduces the chances of a malicious SMS message doing damage.
Even if it "secure", it could also be possible that an SMS sender
inadvertently sends some character which might trip up the shell.
E.g. if I write the exec in this way, surrounding the parameters
with single quotes:
exec = "someprogram.sh '%p' '%P' '%r'"
then *maybe* it could be possible for the shell to trip up if
the SMS sender innocently sends a single quote as part of the message.
(I'm not saying it will - I actually haven't tested this scenario,
but you get the point.
)
Kannel will then presumably lose the SMS message, and the
customer will be none the wiser.
Unfortuntely, I need this particular SMS receiver service to be open
to anyone, i.e. I can't whitelist or blacklist anybody.
So does anyone have an "exec" entry which is perfectly secure
and will not trip up no matter which characters are in the
SMS message?
