When kannel receives an SMS message from a mobile phone,
as far as I know it can do one of four things:
a) Give back a simple text response.
b) Give back the contents of a file.
c) Fetch a URL.
d) Execute a given shell command/script.
I really want to use d) for the flexibility offered, but
is there *any* way to use d) completely securely? Can someone
show an example of an "exec" line where it is impossible
for someone that to craft an evil SMS message that
could execute dangerous commands on my system?
The kannel user guide of course gives this warning:
BEWARE: You may harm your system if you use this
sms-service type without serious caution! Make sure
anyone who is allowed to use these kind of services
is checked using white/black-list mechanisms for
security reasons.
But I wish it would show an example of safe usage
(if it exists).
For example, my sms-service group might have an obvious
'exec' entry like this:
group = sms-service
keyword = whatever
exec = "someprogram.sh %p %P %r"
(where %r is of course most of the SMS message),
I would think that someone could send a malicious SMS message
like this for example:
; rm -rf *
or any arbitrary other command.
The only "saving grace" appears to be that kannel seems
to automatically URL-encode many of the characters in the above
parameters like %r, and replaces spaces with '+" .
So for example, the above "; rm -rf *" actually gets changed by
kannel to
%3B+rm+-rf+*
which reduces the chances of a malicious SMS message doing damage.
Even if it "secure", it could also be possible that an SMS sender
inadvertently sends some character which might trip up the shell.
E.g. if I write the exec in this way, surrounding the parameters
with single quotes:
exec = "someprogram.sh '%p' '%P' '%r'"
then *maybe* it could be possible for the shell to trip up if
the SMS sender innocently sends a single quote as part of the message.
(I'm not saying it will - I actually haven't tested this scenario,
but you get the point.
)
Kannel will then presumably lose the SMS message, and the
customer will be none the wiser.
Unfortuntely, I need this particular SMS receiver service to be open
to anyone, i.e. I can't whitelist or blacklist anybody.
So does anyone have an "exec" entry which is perfectly secure
and will not trip up no matter which characters are in the
SMS message?
