How to hide from UNIX strings - obfuscate or hide a literal or constant?

newbie_01 · March 8, 2014, 4:30am

Hi,

I need to somehow pipe the password to a command and run some SQL, for example, something like echo $password | sqlplus -s system @query01.sql

To make it not so obvious, I decided to try out writing a small C program that basically just do echo $password. So now I just do x9.out | sqlplus -s system@query01.sql.

I understand it still is not a secure thing to do as someone can just run x9.out and knows the password. Anyway, the intent is to make is less obvious that I am echo'ing a password so I am more than happy with that for the time being as a start.

The very, very simple C program is a below:

$ cat x9.c
#include <stdio.h>

int main()
{
    char array[20] = "hello";

    printf("%s",array);

    return 0;
}
$ cc -o x9.out x9.c
$ ./x9.out
hello$
$ strings x9.out
/lib64/ld-linux-x86-64.so.2
__gmon_start__
libc.so.6
printf
__libc_start_main
GLIBC_2.2.5
l$ L
t$(L
|$0H
hello

Unfortunately, as you can see if I do a strings of the x9.out file, it is quite obvious that the word hello stands out.

Can anyone please advise how I can somehow hide that word in the bushes ;)?

For example, maybe I can do a printf of the ASCII values of the word so that if anyone do a strings of it, it shows number instead of words.

Finally, eventually, I would want to put something more into the code so that it will be an array that stores a list of username+password, so that if I do x9.out user01 it prints the password of user01, x9.out user02 prints the password of user02 and so on. It will probably be wise that it prompts for a username/password before it allows me to display the information.

BTW, it would be nice if I can put the whole "echo $password | sqlplus -s system" string into the C program so that I only do x9.out @query01.sql so it hides the username and password. I don't see how that they can be done, maybe one of the gurus can advice how to do that.

Anyway for now, I just want to know how to hide from UNIX strings

MadeInGermany · March 8, 2014, 9:04am

How about read-protecting the pw for other users?

echo hello > pwfile
chmod 600 pwfile
sqlplus -s system@query01.sql < pwfile

Perderabo · March 8, 2014, 1:22pm

How about...

char array[20];

array[2] = 'l';
array[4] = 'o';
array[5] = (char)0;
array[1] = 'e';
array[3] = 'l';
array[0] = 'h';

Do that just immediately before you use it. Wipe it out immediately after use.

ahamed101 · March 8, 2014, 2:44pm

How about using shc - Script Compiler?

--ahamed

newbie_01 · March 10, 2014, 6:24pm

perderabo:

How about...
char array[20];

array[2] = 'l';
array[4] = 'o';
array[5] = (char)0;
array[1] = 'e';
array[3] = 'l';
array[0] = 'h';
Do that just immediately before you use it. Wipe it out immediately after use. Do you mean do a array="" after I do the print?

Hi Perderabo,

Thanks as usual to be the first responder.

I am more or less using the one that you suggested. What do you mean by wipe it out immediately?

BTW, looking at one of your reply to Reading password and echo * character | Unix Linux Forums | Shell Programming and Scripting. If you don't mind me asking, if is possible for read to read a defined variable or does it always require a user intervention to provide an input?

Below is what I end up using.

#include <stdio.h>

// - UPPER CASE starts at 65
// - LOWER CASE starts at 97

int count;
char uc[26];
char lc[26];

char a, b, c, d, e, f;
char g, h, i, j, k, l;
char m, n, o, p, q, r;
char s, t, u, v, w, x;
char y, z;

//char word[100];
//char *word;

main()
{
   /* Print the numbers 1 through 20 */

   for ( count = 1; count <= 26; count++ )
   {
          // printf("%d :: %c :: %c \n", count, count+64, count+96);
          uc[count] = (char)count+64;
          lc[count] = (char)count+96;
   }

   // printf("\n ------------------------------------------ \n");

   // d=lc[4];
   // b=lc[2];
   // g=lc[7];
   // u=lc[21];
   // r=lc[18];
   // char word[]={ d, b, t, e, s, t };

   char word[]={ lc[4] , lc[2] , lc[20] , lc[5] , lc[19] , lc[20]  };

   //printf("%c%c%c%c%c%c",d,b,g,u,r,u);
   //printf("%c \n",u[26]);
   //printf("%c \n",l[26]);

   //#printf("%s",word);
   puts(word);
   return 0;
}

Perderabo · March 10, 2014, 9:08pm

Wipe it out means something like this:

array[0] = (char)0;
array[1] = (char)0;
array[2] = (char)0;
array[3] = (char)0;
array[4] = (char)0;
array[5] = (char)0;

No matter how it got there, after the string is built you have "hello" sitting in core. Don't let it sit for long.

I don't understand your second question at all. The whole purpose of that script is to read a password that a human types in. That is the only way to have true security. It is always possible to reverse engineer a program that secretly builds a password and discover what that password is.

verdepollo · March 10, 2014, 9:45pm

A few years back I tried to use it and it was awful. It did not support several advanced shell substitutions and arrays - Has it been improved lately?

jim_mcnamara · March 10, 2014, 10:29pm

No. shc is still an older version. The last version I saw.

rbatte1 · March 12, 2014, 12:56pm

You also have to consider how your code will link together.

If you have:-

x9 | mysql .......

.... and you successfully obscure the password as plain text in the compiled x9, what happens if you just run x9 on the command line? My guess is that you would get the credentials you are trying to obscure.

You may need to get the whole operation inside a script and then obscure it all with shc

Just a thought.

Robin