Sign in to follow this  
Followers 0
Valind

Stdin / command line security question

4 posts in this topic

For the sake of simplicity and time, I have chosen to use a few command line programs to achieve the desired result and of course Autoit is governing the whole process. For an example, lets say a requirement is to compress or decompress files with rar.exe ( command line ) and the files might as well be secured when not being used with a password. At first I thought that just using one long command passed during a Run "@comspec" would be fine, and it works, but what some probably don't know is that any command line arguments are all easily captured with the right program; thus the password is there for anyone to see.

Instead I have switched to apply the password interactively, that is to say, you keep all the normal arguments intact, but let the program ask you for the password and then supply it with a StdinWrite function call.

1. This solves the problem of not exposing your password to command line spying, but is text passed to Stdin susceptible to peeking or spying as well ?

2. If it is, is there any better way to protect a password in this scenario ??

{ If you didn't guess, in this example the program is being run on a remote system and the idea is to keep certain data reasonably protected. }

Thanks for any help

Share this post


Link to post
Share on other sites



If the rar.exe is not the Winrar official executable, you are likely to give away a lot of data. The problem with foreign systems is that you never know who changed what. Sorry if that throws a dampen on your program. You might however, look into packaging a tiny compressor program as a FileInclude. That way you know that the person won't be able to watch the tiny one because it won't exist until you FileInstall it. Then you just delete it when you are done too. That sounds like a workable solution of security.

Share this post


Link to post
Share on other sites

That would be a way to ensure the program files are not compromised before being used, but that is not what I was asking btw.

Don't focus on the program being used,.. how about < insert any command line program here >

I will be passing data through Stdin to command line program x.

If someone wanted to, could they intercept data passed to Stdin with a 3rd party program?

If so, can I do anything to protect or stop it from happening?

Share this post


Link to post
Share on other sites

If they override the standard handlers at a lower level than your program, then no, there's nothing you can do about it. Otherwise, you don't need to worry.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0