Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Awk Security Issues

Status
Not open for further replies.
Jimbo99

Jimbo99

IS-IT--Management
Dec 2, 2003
2
DK
Hi there

Can anyone tell me wether there are any common security issues when programming in awk or techniques to avoid? There's a lot of stuff on Perl etc but I can't seem to find anything on awk? Obviously it depends on what you're doing with it but any known pitfalls, problems, techniques to avoid will be appreciated.

Thanks
 
Sort by date Sort by votes
Awk is a pattern matching and manipulation langauage
primarily. I am not aware of any security issues with awk
other than that it is a programming language capable of easily altering system files and that it has (as of gawk
3.1) a network app interface that is usable by unprivileged
users.

It is also extremely powerful when used in conjunction
with the shell, in scripts for instance.
 
Upvote 0 Downvote
Thanks marsd. This may sound lame but can you elaborate on the "network app interface that is usable by unprivileged
users" as this is something I'm not aware of. Also, do you know of any awk programming no-no's?

Thanks
 
Upvote 0 Downvote
Okay-say for instance I have a baby cracker on board who likes to use things like netcat to muss
the admins hair, but I have to give him a shell..
I change permissions and groups for him, restricting the binaries I don't want him to have but he needs access to awk..

With a similaridea(!this code does not work!)

awk '
function my_bad(target, client, port,p) {
client = "/inet/tcp/0/localhost/" port
getline port < &quot;-&quot;
if (port) {
print &quot;shellcode&quot; target |& client
}
p = target&quot;:&quot;port
return p
}
BEGIN {
getline victim < &quot;-&quot;
i = 0
while (victim != prev) {
i = i + 1
my_bad(victim)
potvicts = p
prev = victim
}
for (j in potvicts) {
printf &quot;s&quot; , potvicts[j] >> check_em_later.txt
}
}'

he can be dangerous.

But you could do the same thing with any programming langauge with a socket interface as long as you have
exploit code available...This idea just scratches the surface-if you have trustworthy users that's fine-
otherwise keep in mind that it is just as easy to set up a listening server socket as well that serves something like:
system(&quot;/bin/sh&quot;)
On the other hand without the newest awk, i really don't think there is too much that can be done as long as permissions are right...

Also I have noticed that I can use awk to look and edit differently formatted code (hex, etc..) more easily
than with tools like cat and strings, ... and do a lot in the shell that is not easily done without. So , like everything else awk can be abused.

Maybe one of the more expert guys would like to comment on this??
 
Upvote 0 Downvote
Umm. I keep forgetting that using the forbidden var char
looks like 1, will destroy the sense of what I am trying to do and make everything look squiggly-hope you get the point anyway....;-)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MotorCycleDude
  • Locked
  • Question
awk Question
Replies
12
Views
413
mikrom
mikrom
FrancisMMM
  • Locked
  • Question
awk parsing is getting slower and stalled :(
Replies
1
Views
193
FrancisMMM
FrancisMMM
johnegracejr
  • Locked
  • Question
AWK suffix overwriting original text.
Replies
1
Views
240
feherke
feherke
V_M
  • Locked
  • Question
Awk Command not able to read French/Spanish characters from a file
Replies
1
Views
192
mikrom
mikrom
dlicheri
  • Locked
  • Question
awk - transposing output of program 1
Replies
4
Views
253
mikrom
mikrom

Part and Inventory Search

Sponsor

Back
Top