Posted: . At: 12:13 PM. This was 4 weeks ago. Post ID: 19427
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.


Why you should not rely on /bin/cat to read a script before running it…

by

Using /bin/cat to read a script before running it on Linux is not the best idea, this is due to the many bugs in the utility.

Here is an example.

Here I am checking the contents of a script before running it.

(jcartwright@2403-4800-25af-b00--2) 192.168.1.5 Documents  $ cat demo.sh 
#!/bin/sh
echo "Hello, this is a harmless script. Just passing by."

This looks fine right?

But.

When I run this, it prints the contents of the /etc/passwd file instead…

(jcartwright@2403-4800-25af-b00--2) 192.168.1.5 Documents  $ bash demo.sh 
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
tss:x:59:59:Account used for TPM access:/dev/null:/sbin/nologin
sssd:x:998:994:User for sssd:/:/sbin/nologin
polkitd:x:997:993:User for polkitd:/:/sbin/nologin
cockpit-ws:x:996:992:User for cockpit web service:/nonexisting:/sbin/nologin
cockpit-wsinstance:x:995:991:User for cockpit-ws instances:/nonexisting:/sbin/nologin
chrony:x:994:990:chrony system user:/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/usr/share/empty.sshd:/sbin/nologin
systemd-oom:x:988:988:systemd Userspace OOM Killer:/:/usr/sbin/nologin
jcartwright:x:1000:1000:John Cartwright:/home/jcartwright:/bin/bash
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
geoclue:x:987:987:User for geoclue:/var/lib/geoclue:/sbin/nologin
libstoragemgmt:x:986:986:daemon account for libstoragemgmt:/:/usr/sbin/nologin
rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin

How can this be?

The answer is in the script itself.

#!/bin/sh
cat /etc/passwd
exit
^[[A^[[Aecho "Hello, this is a harmless script. Just passing by."
~                                                                                                                                                                                                                                                               
~                                                                                                                                                                                                                                                               
~                                                                                                                                                                                                                                                               
~                                                                                                                                                                                                                                                               
~                                                                                                                                                                                                                                                               
~                                                                                                                                                                                                                                                               
~                                                                                                                                                                                                                                                               
~                                                                                                                                                                                                                                                               
~                                                                                                                                                                                                                                                               
~                                                                                                                                                                                                                                                               
~                                                                                                                                                                                                                                                               
~                                                                                                                                                                                                                                                               
~                                                                                                                                                                                                                                                               
~                                                                                                                                                                                                                                                               
~                                                                                                                                                                                                                                                               
~                                                                                                                                                                                                                                                               
~

The script works by including raw escape codes to move the cursor up a couple of lines, so the rest of the script is written over the top of the malicious code, hiding it. So if you use cat to read the script, you will not see the malicious code. This could be used to delete all files in a home directory or anything you can think of. So use VIM instead of cat to check a script before running it. In light of the xz debacle and possibly other Linux backdoors, always properly check a text script with VIM or Midnight Commander`s text editor first.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.