rbash escape vulnerability

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

rbash escape vulnerability

Drew Parker
Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-unknown-linux-gnu'
-DCONF_VENDOR='unknown' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash'
-DSHELL -DHAVE_CONFIG_H   -I.  -I. -I./include -I./lib  -D_FORTIFY_SOURCE=2
-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong
-DDEFAULT_PATH_VALUE='/usr/local/sbin:/usr/local/bin:/usr/bin'
-DSTANDARD_UTILS_PATH='/usr/bin' -DSYS_BASHRC='/etc/bash.bashrc'
-DSYS_BASH_LOGOUT='/etc/bash.bash_logout' -DNON_INTERACTIVE_LOGIN_SHELLS
-Wno-parentheses -Wno-format-security
uname output: Linux titan 4.14.6-1-ARCH #1 SMP PREEMPT Thu Dec 14 21:26:16
UTC 2017 x86_64 GNU/Linux
Machine Type: x86_64-unknown-linux-gnu

Bash Version: 4.4
Patch Level: 12
Release Status: release

Description:
    In rbash v4.4.12 it is possible to escape the restricted shell by
running a program in the current directory
    by setting the BASH_CMDS variable. This had currently been patched to
exclude "/"
    characters. However, if the file is flagged as executable, no slash
needs to be
    included, and the file with be executed.

Repeat-By:
    The break out is possible by placing a "sh" file in the current
directory. When I was
    working on this, I was able to simply run "cp /bin/sh ."

    From there, set the BASH_CMDS and execute it as such: BASH_CMDS[a]=sh;a

Fix:
    This issue seems to have been addressed in v4.4, however it appears
that it was just
    implementing a filter to restrict the use of the "/" character.
Reply | Threaded
Open this post in threaded view
|

Re: rbash escape vulnerability

Chet Ramey
On 12/21/17 2:03 PM, Drew Parker wrote:

> Bash Version: 4.4
> Patch Level: 12
> Release Status: release
>
> Description:
>     In rbash v4.4.12 it is possible to escape the restricted shell by
> running a program in the current directory
>     by setting the BASH_CMDS variable. This had currently been patched to
> exclude "/"
>     characters. However, if the file is flagged as executable, no slash
> needs to be
>     included, and the file with be executed.

`rbash' isn't especially useful in isolation. I'd argue that the game was
over when you ran `cp /bin/sh .', since that implies that PATH wasn't
sanitized (and may include `.', which would defeat the entire effort).

What's your proposed solution? I can see how verifying that the value
assigned is found in $PATH could fix a portion of the issue.

Chet

--
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    [hidden email]    http://tiswww.cwru.edu/~chet/