Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #16257
| From | Diffie <nano@mm.st> |
|---|---|
| Newsgroups | gnu.bash.bug |
| Subject | Potential restricted bash escape by modifying history file |
| Date | 2020-04-30 14:22 -0400 |
| Message-ID | <mailman.1702.1588272528.3066.bug-bash@gnu.org> (permalink) |
| References | <1254402a-b6ad-4bb8-9831-7830b24c12f0@www.fastmail.com> |
Configuration Information [Automatically generated, do not change]: Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wno-parentheses -Wno-format-security uname output: Linux host 5.5.17-200.fc31.x86_64 #1 SMP Mon Apr 13 15:29:42 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux Machine Type: x86_64-redhat-linux-gnu Bash Version: 5.0 Patch Level: 11 Release Status: release *Description:* It is possible to write/append arbitrary content to files from a restricted bash shell (with the privileges of the current user context) by tweaking the HISTFILE variable, or by specifying a filename to "history -[a][w]". This does not necessarily lead to a restriction bypass in all configurations, but does in a few that come to mind: * If the user can write to their home directory they can append arbitrary code to .bashrc/other shell files. These shell files will execute the code without restrictions on subsequent runs of rbash (assuming rbash is not being run in posix mode, and that --norc is not being passed) * If the user is root they can trivially get an unrestricted shell by modifying /etc/passwd, etc. * If the cwd contains an executable script that the user can write to, they can append to the script with arbitrary code, then invoke this code from rbash: "hash -p executable_script mal_command ; mal_command" (this could be possible with an executable binary too, although would be a little more complex) * SSH authorized keys, various other configs. * etc... Again, it will depend on the configuration, but this seems exploitable in most configurations of rbash (one where it may be more difficult to exploit is when the user is placed into a non-home directory chroot where they have limited write access). *Repeat-By:* [UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r [__RESTRICTED] bash-5.0$ export HISTFILE=$HOME/.bashrc [__RESTRICTED] bash-5.0$ history -c [__RESTRICTED] bash-5.0$ /usr/bin/whoami [__RESTRICTED] bash: /usr/bin/whoami: restricted: cannot specify `/' in command names [__RESTRICTED] bash-5.0$ history -a [__RESTRICTED] bash-5.0$ exit [UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r diffie # whoami inserted into .bashrc above [__RESTRICTED] bash-5.0$ OR without using HISTFILE variable [UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r [__RESTRICTED] bash-5.0$ history -a $HOME/.bashrc ' > /usr/bin/whoami > ' [__RESTRICTED] bash-5.0$ exit [UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r diffie [__RESTRICTED] bash-5.0$ *Fix: * * Disable writing to a specific file in rbash with "history -[a][w] /tmp/bad_file bad_command" and make HISTFILE readonly. May be some other edge cases here. * Disable history in rbash altogether.
Back to gnu.bash.bug | Previous | Next | Find similar
Potential restricted bash escape by modifying history file Diffie <nano@mm.st> - 2020-04-30 14:22 -0400
csiph-web