0

I am developing an application that can establish a server-client connection using QTcp*

The client sends the server a number.

The received string is checked on its length and quality (is it really a number?)

If everything is OK, then the server replies back with a file path (which depends on the sent number).

The client checks if the file exists and if it is a valid image. If the file complies with the rules, it executes a command on the file.

What security concerns exist on this type of connection?

The program is designed for Linux systems and the external command on the image file is executed using QProcess. If the string sent contained something like (do not run the following command):

; rm -rf /

then it would be blocked on the file not found security check (because it isn't a file path). If there wasn't any check about the validity of the sent string then the following command would be executed:

command_to_run_on_image ; rm -rf /

which would cause panic! But this cannot happen.

So, is there anything I should take into consideration?

hytromo
  • 1,501
  • 2
  • 27
  • 57
  • Somehow I think you explanation is incomplete. The client sends a number, fine. What is the server doing with the number? The server sends you a path to a file? On your clients computer? And suddenly some command is executed? What command? Where does it come from? The server sends you, according to your explanation, only a path to an image. – Greenflow Aug 14 '13 at 13:41
  • I edited the question. The client sends a number, the server replies with a file path which depends on this number (the image is located on the client, but the server knows the path of it), and the client uses the path to execute a command on the image. The command executed on the image is not sent by the server. The client already knows what command to execute on the received path. – hytromo Aug 14 '13 at 14:19
  • I don't see any risks. In a sufficiently insecure environment I could sniff your numbers and the path. Maybe I could spoof a client request to the server, so you get a 'response' you never requested. But I cannot change the command. What happens when the client receives a path, which does not exist? Which it does not expect? Or one, which points to /etc/passwd? – Greenflow Aug 14 '13 at 14:29
  • Personally I'd probably obfuscate data sent to and received from the server a little bit. Nothing fancy, just to make sniffing a bit more difficult. This is for normal use. In a high security environment I would ask an expert. ;-) – Greenflow Aug 14 '13 at 14:34
  • If the path does not exist, then the client simply does nothing. As for /etc/passwd, it will find the file, but it will be an invalid image. Nothing is sent back to the server as response, whatever the result, though. – hytromo Aug 14 '13 at 14:44
  • As I said: I don't see a security risk. But I am not an expert. This is only an opinion. If someone can spoof your server, a DOS attack might be possible. – Greenflow Aug 14 '13 at 14:58

1 Answers1

0

If you open a console and type command ; rm -rf /*, something bad would likely happen. It's because commands are processed by the shell. It parses text output, e.g. splits commands by ; delimiter and splits arguments by space, then it executes parsed commands with parsed arguments using system API.

However, when you use process->start("command", QStringList() << "; rm -rf /*");, there is no such danger. QProcess will not execute shell. It will execute command directly using system API. The result will be similar to running command "; rm -rf /*" in the shell.

So, you can be sure that only your command will be executed and the parameter will be passed to it as it is. The only danger is the possibility for an attacker to call the command with any file path he could construct. Consequences depends on what the command does.

Pavel Strakhov
  • 39,123
  • 5
  • 88
  • 127