Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #16262
| Path | csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Chet Ramey <chet.ramey@case.edu> |
| Newsgroups | gnu.bash.bug |
| Subject | Re: Potential restricted bash escape by modifying history file |
| Date | Fri, 1 May 2020 15:06:33 -0400 |
| Organization | ITS, Case Western Reserve University |
| Lines | 26 |
| Approved | bug-bash@gnu.org |
| Message-ID | <mailman.1786.1588360008.3066.bug-bash@gnu.org> (permalink) |
| References | <1254402a-b6ad-4bb8-9831-7830b24c12f0@www.fastmail.com> <77a40392-8fad-553b-fa0a-ccaa60f82269@case.edu> |
| Reply-To | chet.ramey@case.edu |
| NNTP-Posting-Host | lists.gnu.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=utf-8 |
| Content-Transfer-Encoding | 7bit |
| X-Trace | usenet.stanford.edu 1588360009 9381 209.51.188.17 (1 May 2020 19:06:49 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| Cc | chet.ramey@case.edu |
| To | Diffie <nano@mm.st>, bug-bash@gnu.org |
| Envelope-to | bug-bash@gnu.org |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=case.edu; s=smtp-primary; t=1588359998; bh=9SX2x1LUOkCnffuo9ptY2fl2glpOGfT3XaUQn8gnOzc=; h=Reply-To:Cc:Subject:To:References:From:Message-ID:Date: MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=T56lPsWceXxKALpa/NpTzw9igYAjPJIHDjH4V20scpSQLdAQI4pecW4+zgGCthsKUy vEVG524IMXJQBz7oQnvph0W9mQvDm/KV8zV06RpLl0B/V3nFtUiuNJeS9mf2frg7dol JiwdXVIg8hCXhGQ8CaLgEZeRE9Tt8gnDbTtj+yG04zXZIuhnmKp7MDBwtjWl1k7jO3P j2ot3+8sL8Cm6Zzi8k+7TRMS/w4CpAVoI4DOg+UR6H0wzYJAJmoFWMKMp9ZpFfKW5jN MnmIkZADvz3ogKY78m3JrevtztZgOUsiRfwmvI99ciWCFLrFhc3j+PWtfmyUZ6Gjnwz A/MbBmvQ== |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=case.edu; s=smtp-primary; t=1588359996; bh=lYT4Mx3/6tibNjDT1cU1UXsQOG/kBOznWISnRHH6wb4=; h=Reply-To:Cc:Subject:To:References:From:Message-ID:Date: MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=EYKYxICEUEre/kyRdPXKoFIY6DNYJzxMEG++76RAu8EASWNn2+0ppdh29y6YRe2v5R miq2zx55ml4/B9aFt3M5E7tw3D14nDK+ODvht/XRTYrlkWaTQ/cTXVVkwyz2bVayKWl SXWpno2GDUH5UEKBDa+hb+QQ1K1/dmOsb5kHz3Iqt/O7GMnRhXiHgioks3k0CGS3M/g IUF5epVssRBwM9DGtpOxD+rYkxAEH/gavYrA7gdQYW8+QPRJLTpCoBPXFEzn9KVf8GO Rw7/FhcGv5tYf20aaPVQjwd53X+I0orRdNUs/dPMppq+VBkUk0OdYxoIhGkZhbv7keQ Afk0DlFw== |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=case.edu; s=g-case; h=reply-to:cc:subject:to:references:from:autocrypt:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=lYT4Mx3/6tibNjDT1cU1UXsQOG/kBOznWISnRHH6wb4=; b=e2BhYXczbp5+1O7m6b60PrFo1sWFws9LJ7wm67I+YpqgCB4sz1lzIS9bli5ibImUEp Uc4pAH3xiXtt7Vwp9Wu9H7cK53PpdiQ3rkGOUz2h86x1Rui1kB2nPzl6ZZie6LNbpa/0 oQbC5iWIIaq5B+AWYcMYcRe4rNuwmqEJ6c9dT4HEARU3r4oftayVcf/wrzJydqPn3D+s 4nGiY/Bo+HBC2aB6QJePA4CrWIn2YxLNX4h4WpimpGagfeeJVJE0L/hRUe+ujcHTpqxo Sqo15KY0Hvl7ZR4crpBOhWPRbCQFpqhpqlV6y0kfIkpRygV+rlTijJYmb3g7aSUKn78a AgXQ== |
| X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:reply-to:cc:subject:to:references:from:autocrypt :organization:message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=lYT4Mx3/6tibNjDT1cU1UXsQOG/kBOznWISnRHH6wb4=; b=kNYo6WCY5W04KUR64Wd1IpTmcp5wRhu87REr4Slz/v1wOVXM2wv12Aqf68v9D2W0Hy U7pAcNuVUIQiNHbjLGTtn0/yyxOrG8Exz50UdFOpu2eVoFUVx/JyRkA8M2CW0V1fJp2v JGGz95qS6Z2bJMSUz1BPsZ6vZlKN0naDr4CsNZDG22lPRxZuDiRP38COX5VHVu6ePxpD ECWIdUb6c9iI/axUYGrAEyhptosaSSlc3BtjKK83CKoRBmll9u52GggmTABESps7x/wm 4Ae/p22VDeFj3QwkjPwQEJKtuk5SI7k59ZH3aiId6sKloX2JR1Cy/EVgq7EgJG8i4ATG kz2w== |
| X-Gm-Message-State | AGi0Pubr+9QBLR5Fp9k2QDdzq9OGmFarIb4seX5rdIWJxAR6sDyv3B9t BSac3TSC6+l64MTLlRHNASefw5ilwD1yna1deH2YZ2EoeF0ujy5EWboNJLTGpsEMrwfi7VrMigg c/3IUkAZtty8= |
| X-Received | by 2002:a05:6214:bc6:: with SMTP id ff6mr5541061qvb.43.1588359995838; Fri, 01 May 2020 12:06:35 -0700 (PDT) |
| X-Google-Smtp-Source | APiQypLOVfIBpIHy4OnV7XvB+gYp3vbUW/ir2vofVlTZF32COk5VMdyARalvJwS/iqkRDbr+YHvJcw== |
| X-Received | by 2002:a05:6214:bc6:: with SMTP id ff6mr5541041qvb.43.1588359995546; Fri, 01 May 2020 12:06:35 -0700 (PDT) |
| Autocrypt | addr=chet.ramey@case.edu; prefer-encrypt=mutual; keydata= mQGiBEEOsGwRBACFa0A1oa71HSZLWxAx0svXzhOZNQZOzqHmSuGOG92jIpQpr8DpvgRh40Yp AwdcXb8QG1J5yGAKeevNE1zCFaA725vGSdHUyypHouV0xoWwukYO6qlyyX+2BZU+okBUqoWQ koWxiYaCSfzB2Ln7pmdys1fJhcgBKf3VjWCjd2XJTwCgoFJOwyBFJdugjfwjSoRSwDOIMf0D /iQKqlWhIO1LGpMrGX0il0/x4zj0NAcSwAk7LaPZbN4UPjn5pqGEHBlf1+xDDQCkAoZ/VqES GZragl4VqJfxBr29Ag0UDvNbUbXoxQsARdero1M8GiAIRc50hj7HXFoERwenbNDJL86GPLAQ OTGOCa4W2o29nFfFjQrsrrYHzVtyA/9oyKvTeEMJ7NA3VJdWcmn7gOu0FxEmSNhSoV1T4vP2 1Wf7f5niCCRKQLNyUy0wEApQi4tSysdz+AbgAc0b/bHYVzIf2uO2lIEZQNNt+3g2bmXgloWm W5fsm/di50Gm1l1Na63d3RZ00SeFQos6WEwLUHEB0yp6KXluXLLIZitEJLQwQ2hldCBSYW1l eSAoQ2FzZSBzdGFuZGFyZCkgPGNoZXQucmFtZXlAY2FzZS5lZHU+iF8EExECAB8FAkPi19EC GwMHCwkIBwMCAQMVAgMDFgIBAh4BAheAAAoJELtYafBk6nSrelkAn31Gsuib7GcCZHbv5L5t VKYR9LklAJ4hzUHKA49Z0QXR+qCb80osIcmPSbkBDQRBDrBvEAQAkK6TAOKBEM+EC4j6V/7o /riVZqcgU5cid2qG9TXdwNtD9a3kvA/ObZBO93sX59wc6Bnwo4VJxsOmMlpGrAjJsxNwg3QH akEtf8LXRbVpj5xStdmBdQZUhIQyalo/2/TZq5OijtddUQcL5cs70hTv/FpT3wUvr2Xr8rjF 41IFEz8AAwcD/A0CZEGlzIrT5WCBnl6xBog/8vKiUCbarByat3d1mL6DbizvKNXQRTC9E/vE dENAWCQCjr75Bu55xT8n3SXGtWdDC5xmZ/P3OBYORP8yl8H8I1FIosWOFirbIeYdZPq8SPD1 HL+EXo9zSiHVrrZRJ19ooCKKbSdXHFCY+aJG+0KZiEkEGBECAAkFAkEOsG8CGwwACgkQu1hp 8GTqdKvjcACfZlkVCDwaz/NTO9cy3t69oWpVPNwAnRwe0qk/WL/gfhH346xh5B3HFbFN |
| User-Agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 |
| In-Reply-To | <1254402a-b6ad-4bb8-9831-7830b24c12f0@www.fastmail.com> |
| Content-Language | en-US |
| X-Mirapoint-IP-Reputation | reputation=Good-1, source=Queried, refid=tid=0001.0A020303.5EAC6D35.00AD, actions=tag |
| X-Mirapoint-IP-Reputation | reputation=good-1, source=Fixed, refid=n/a, actions=tag |
| X-Junkmail-Status | score=8/80, host=mpv3-2015.case.edu |
| X-Junkmail-PrAS-Raw | score=8/80, refid=2.7.2:2020.5.1.184819:17:8.129, ip=, rules=__YOUTUBE_RCVD, DKIM_SIGNATURE, __X_GOOGLE_DKIM_SIGNATURE, __HAS_REPLYTO, __HAS_CC_HDR, __SUBJ_REPLY, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __SUBJ_ALPHA_END, __TO_MALFORMED_2, __MULTIPLE_RCPTS_TO_X2, __TO_NAME, __TO_NAME_DIFF_FROM_ACC, __HAS_REFERENCES, __REFERENCES, __HAS_FROM, FROM_EDU_TLD, __HAS_MSGID, __SANE_MSGID, DATE_TZ_NA, __USER_AGENT, __MOZILLA_USER_AGENT, __MIME_VERSION, __IN_REP_TO, __CT, __CT_TEXT_PLAIN, __CTE, __REPLYTO_SAMEAS_FROM_ADDY, __REPLYTO_SAMEAS_FROM_ACC, __FROM_DOMAIN_IN_ANY_CC1, __FROM_DOMAIN_IN_ANY_CC2, __REPLYTO_SAMEAS_FROM_DOMAIN, __DKIM_ALIGNS_1, __DKIM_ALIGNS_2, __ANY_URI, __URI_MAILTO, __URI_WITH_PATH, __URI_ENDS_IN_SLASH, __URI_NO_WWW, __CP_URI_IN_BODY, __SUBJ_ALPHA_NEGATE, SUPERLONG_LINE, __URI_IN_BODY, __URI_NOT_IMG, __MAIL_CHAIN, __FORWARDED_MSG, __BODY_NO_MAILTO, __NO_HTML_TAG_RAW, BODY_SIZE_1500_1599, [TRUNCATED], so=2010-03-03 19:42:08, dmn=2016-08-03-0138 |
| Received-SPF | pass client-ip=129.22.103.194; envelope-from=chet.ramey@case.edu; helo=mpv3-2015.case.edu |
| X-detected-operating-system | by eggs.gnu.org: First seen = 2020/05/01 15:06:37 |
| X-ACL-Warn | Detected OS = Linux 2.4.x-2.6.x [generic] [fuzzy] |
| X-Received-From | 129.22.103.194 |
| X-BeenThere | bug-bash@gnu.org |
| X-Mailman-Version | 2.1.23 |
| Precedence | list |
| List-Id | Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org> |
| List-Unsubscribe | <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe> |
| List-Archive | <https://lists.gnu.org/archive/html/bug-bash> |
| List-Post | <mailto:bug-bash@gnu.org> |
| List-Help | <mailto:bug-bash-request@gnu.org?subject=help> |
| List-Subscribe | <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe> |
| X-Mailman-Original-Message-ID | <77a40392-8fad-553b-fa0a-ccaa60f82269@case.edu> |
| X-Mailman-Original-References | <1254402a-b6ad-4bb8-9831-7830b24c12f0@www.fastmail.com> |
| Xref | csiph.com gnu.bash.bug:16262 |
Show key headers only | View raw
On 4/30/20 2:22 PM, Diffie wrote: > Bash Version: 5.0 > Patch Level: 11 > Release Status: release > > *Description:* > It is possible to write/append arbitrary content to files from a restricted bash shell (with the privileges of the current user context) by tweaking the HISTFILE variable, or by specifying a filename to "history -[a][w]". This does not necessarily lead to a restriction bypass in all configurations, but does in a few that come to mind: > > * If the user can write to their home directory they can append arbitrary code to .bashrc/other shell files. These shell files will execute the code without restrictions on subsequent runs of rbash (assuming rbash is not being run in posix mode, and that --norc is not being passed) > * If the user is root they can trivially get an unrestricted shell by modifying /etc/passwd, etc. > * If the cwd contains an executable script that the user can write to, they can append to the script with arbitrary code, then invoke this code from rbash: "hash -p executable_script mal_command ; mal_command" (this could be possible with an executable binary too, although would be a little more complex) > * SSH authorized keys, various other configs. These all fall under the category of "poorly configured restricted shell." But it's not a bad idea to restrict history -arnw and make HISTFILE readonly. Thanks for the report. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRU chet@case.edu http://tiswww.cwru.edu/~chet/
Back to gnu.bash.bug | Previous | Next | Find similar
Re: Potential restricted bash escape by modifying history file Chet Ramey <chet.ramey@case.edu> - 2020-05-01 15:06 -0400
csiph-web