Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > gnu.bash.bug > #16262

Re: Potential restricted bash escape by modifying history file

Show all headers | View raw

On 4/30/20 2:22 PM, Diffie wrote:

> Bash Version: 5.0
> Patch Level: 11
> Release Status: release
> 
> *Description:*
> It is possible to write/append arbitrary content to files from a restricted bash shell (with the privileges of the current user context) by tweaking the HISTFILE variable, or by specifying a filename to "history -[a][w]". This does not necessarily lead to a restriction bypass in all configurations, but does in a few that come to mind:
> 
> * If the user can write to their home directory they can append arbitrary code to .bashrc/other shell files. These shell files will execute the code without restrictions on subsequent runs of rbash (assuming rbash is not being run in posix mode, and that --norc is not being passed)
> * If the user is root they can trivially get an unrestricted shell by modifying /etc/passwd, etc.
> * If the cwd contains an executable script that the user can write to, they can append to the script with arbitrary code, then invoke this code from rbash: "hash -p executable_script mal_command ; mal_command" (this could be possible with an executable binary too, although would be a little more complex)
> * SSH authorized keys, various other configs.

These all fall under the category of "poorly configured restricted shell."

But it's not a bad idea to restrict history -arnw and make HISTFILE
readonly. Thanks for the report.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet@case.edu    http://tiswww.cwru.edu/~chet/

Back to gnu.bash.bug | Previous | Next | Find similar

Thread

Re: Potential restricted bash escape by modifying history file Chet Ramey <chet.ramey@case.edu> - 2020-05-01 15:06 -0400

csiph-web