Path: csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail
From: Chet Ramey <chet.ramey@case.edu>
Newsgroups: gnu.bash.bug
Subject: Re: Potential restricted bash escape by modifying history file
Date: Fri, 1 May 2020 15:06:33 -0400
Organization: ITS, Case Western Reserve University
Lines: 26
Approved: bug-bash@gnu.org
Message-ID: <mailman.1786.1588360008.3066.bug-bash@gnu.org>
References: <1254402a-b6ad-4bb8-9831-7830b24c12f0@www.fastmail.com> <77a40392-8fad-553b-fa0a-ccaa60f82269@case.edu>
Reply-To: chet.ramey@case.edu
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Trace: usenet.stanford.edu 1588360009 9381 209.51.188.17 (1 May 2020 19:06:49 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: chet.ramey@case.edu
To: Diffie <nano@mm.st>, bug-bash@gnu.org
Envelope-to: bug-bash@gnu.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=case.edu; s=smtp-primary; t=1588359998; bh=9SX2x1LUOkCnffuo9ptY2fl2glpOGfT3XaUQn8gnOzc=; h=Reply-To:Cc:Subject:To:References:From:Message-ID:Date: MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=T56lPsWceXxKALpa/NpTzw9igYAjPJIHDjH4V20scpSQLdAQI4pecW4+zgGCthsKUy vEVG524IMXJQBz7oQnvph0W9mQvDm/KV8zV06RpLl0B/V3nFtUiuNJeS9mf2frg7dol JiwdXVIg8hCXhGQ8CaLgEZeRE9Tt8gnDbTtj+yG04zXZIuhnmKp7MDBwtjWl1k7jO3P j2ot3+8sL8Cm6Zzi8k+7TRMS/w4CpAVoI4DOg+UR6H0wzYJAJmoFWMKMp9ZpFfKW5jN MnmIkZADvz3ogKY78m3JrevtztZgOUsiRfwmvI99ciWCFLrFhc3j+PWtfmyUZ6Gjnwz A/MbBmvQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=case.edu; s=smtp-primary; t=1588359996; bh=lYT4Mx3/6tibNjDT1cU1UXsQOG/kBOznWISnRHH6wb4=; h=Reply-To:Cc:Subject:To:References:From:Message-ID:Date: MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=EYKYxICEUEre/kyRdPXKoFIY6DNYJzxMEG++76RAu8EASWNn2+0ppdh29y6YRe2v5R miq2zx55ml4/B9aFt3M5E7tw3D14nDK+ODvht/XRTYrlkWaTQ/cTXVVkwyz2bVayKWl SXWpno2GDUH5UEKBDa+hb+QQ1K1/dmOsb5kHz3Iqt/O7GMnRhXiHgioks3k0CGS3M/g IUF5epVssRBwM9DGtpOxD+rYkxAEH/gavYrA7gdQYW8+QPRJLTpCoBPXFEzn9KVf8GO Rw7/FhcGv5tYf20aaPVQjwd53X+I0orRdNUs/dPMppq+VBkUk0OdYxoIhGkZhbv7keQ Afk0DlFw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=case.edu; s=g-case; h=reply-to:cc:subject:to:references:from:autocrypt:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=lYT4Mx3/6tibNjDT1cU1UXsQOG/kBOznWISnRHH6wb4=; b=e2BhYXczbp5+1O7m6b60PrFo1sWFws9LJ7wm67I+YpqgCB4sz1lzIS9bli5ibImUEp Uc4pAH3xiXtt7Vwp9Wu9H7cK53PpdiQ3rkGOUz2h86x1Rui1kB2nPzl6ZZie6LNbpa/0 oQbC5iWIIaq5B+AWYcMYcRe4rNuwmqEJ6c9dT4HEARU3r4oftayVcf/wrzJydqPn3D+s 4nGiY/Bo+HBC2aB6QJePA4CrWIn2YxLNX4h4WpimpGagfeeJVJE0L/hRUe+ujcHTpqxo Sqo15KY0Hvl7ZR4crpBOhWPRbCQFpqhpqlV6y0kfIkpRygV+rlTijJYmb3g7aSUKn78a AgXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:reply-to:cc:subject:to:references:from:autocrypt :organization:message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=lYT4Mx3/6tibNjDT1cU1UXsQOG/kBOznWISnRHH6wb4=; b=kNYo6WCY5W04KUR64Wd1IpTmcp5wRhu87REr4Slz/v1wOVXM2wv12Aqf68v9D2W0Hy U7pAcNuVUIQiNHbjLGTtn0/yyxOrG8Exz50UdFOpu2eVoFUVx/JyRkA8M2CW0V1fJp2v JGGz95qS6Z2bJMSUz1BPsZ6vZlKN0naDr4CsNZDG22lPRxZuDiRP38COX5VHVu6ePxpD ECWIdUb6c9iI/axUYGrAEyhptosaSSlc3BtjKK83CKoRBmll9u52GggmTABESps7x/wm 4Ae/p22VDeFj3QwkjPwQEJKtuk5SI7k59ZH3aiId6sKloX2JR1Cy/EVgq7EgJG8i4ATG kz2w==
X-Gm-Message-State: AGi0Pubr+9QBLR5Fp9k2QDdzq9OGmFarIb4seX5rdIWJxAR6sDyv3B9t BSac3TSC6+l64MTLlRHNASefw5ilwD1yna1deH2YZ2EoeF0ujy5EWboNJLTGpsEMrwfi7VrMigg c/3IUkAZtty8=
X-Received: by 2002:a05:6214:bc6:: with SMTP id ff6mr5541061qvb.43.1588359995838; Fri, 01 May 2020 12:06:35 -0700 (PDT)
X-Google-Smtp-Source: APiQypLOVfIBpIHy4OnV7XvB+gYp3vbUW/ir2vofVlTZF32COk5VMdyARalvJwS/iqkRDbr+YHvJcw==
X-Received: by 2002:a05:6214:bc6:: with SMTP id ff6mr5541041qvb.43.1588359995546; Fri, 01 May 2020 12:06:35 -0700 (PDT)
Autocrypt: addr=chet.ramey@case.edu; prefer-encrypt=mutual; keydata= mQGiBEEOsGwRBACFa0A1oa71HSZLWxAx0svXzhOZNQZOzqHmSuGOG92jIpQpr8DpvgRh40Yp AwdcXb8QG1J5yGAKeevNE1zCFaA725vGSdHUyypHouV0xoWwukYO6qlyyX+2BZU+okBUqoWQ koWxiYaCSfzB2Ln7pmdys1fJhcgBKf3VjWCjd2XJTwCgoFJOwyBFJdugjfwjSoRSwDOIMf0D /iQKqlWhIO1LGpMrGX0il0/x4zj0NAcSwAk7LaPZbN4UPjn5pqGEHBlf1+xDDQCkAoZ/VqES GZragl4VqJfxBr29Ag0UDvNbUbXoxQsARdero1M8GiAIRc50hj7HXFoERwenbNDJL86GPLAQ OTGOCa4W2o29nFfFjQrsrrYHzVtyA/9oyKvTeEMJ7NA3VJdWcmn7gOu0FxEmSNhSoV1T4vP2 1Wf7f5niCCRKQLNyUy0wEApQi4tSysdz+AbgAc0b/bHYVzIf2uO2lIEZQNNt+3g2bmXgloWm W5fsm/di50Gm1l1Na63d3RZ00SeFQos6WEwLUHEB0yp6KXluXLLIZitEJLQwQ2hldCBSYW1l eSAoQ2FzZSBzdGFuZGFyZCkgPGNoZXQucmFtZXlAY2FzZS5lZHU+iF8EExECAB8FAkPi19EC GwMHCwkIBwMCAQMVAgMDFgIBAh4BAheAAAoJELtYafBk6nSrelkAn31Gsuib7GcCZHbv5L5t VKYR9LklAJ4hzUHKA49Z0QXR+qCb80osIcmPSbkBDQRBDrBvEAQAkK6TAOKBEM+EC4j6V/7o /riVZqcgU5cid2qG9TXdwNtD9a3kvA/ObZBO93sX59wc6Bnwo4VJxsOmMlpGrAjJsxNwg3QH akEtf8LXRbVpj5xStdmBdQZUhIQyalo/2/TZq5OijtddUQcL5cs70hTv/FpT3wUvr2Xr8rjF 41IFEz8AAwcD/A0CZEGlzIrT5WCBnl6xBog/8vKiUCbarByat3d1mL6DbizvKNXQRTC9E/vE dENAWCQCjr75Bu55xT8n3SXGtWdDC5xmZ/P3OBYORP8yl8H8I1FIosWOFirbIeYdZPq8SPD1 HL+EXo9zSiHVrrZRJ19ooCKKbSdXHFCY+aJG+0KZiEkEGBECAAkFAkEOsG8CGwwACgkQu1hp 8GTqdKvjcACfZlkVCDwaz/NTO9cy3t69oWpVPNwAnRwe0qk/WL/gfhH346xh5B3HFbFN
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
In-Reply-To: <1254402a-b6ad-4bb8-9831-7830b24c12f0@www.fastmail.com>
Content-Language: en-US
X-Mirapoint-IP-Reputation: reputation=Good-1, source=Queried, refid=tid=0001.0A020303.5EAC6D35.00AD, actions=tag
X-Mirapoint-IP-Reputation: reputation=good-1, source=Fixed, refid=n/a, actions=tag
X-Junkmail-Status: score=8/80, host=mpv3-2015.case.edu
X-Junkmail-PrAS-Raw: score=8/80, refid=2.7.2:2020.5.1.184819:17:8.129, ip=, rules=__YOUTUBE_RCVD, DKIM_SIGNATURE, __X_GOOGLE_DKIM_SIGNATURE, __HAS_REPLYTO, __HAS_CC_HDR, __SUBJ_REPLY, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __SUBJ_ALPHA_END, __TO_MALFORMED_2, __MULTIPLE_RCPTS_TO_X2, __TO_NAME, __TO_NAME_DIFF_FROM_ACC, __HAS_REFERENCES, __REFERENCES, __HAS_FROM, FROM_EDU_TLD, __HAS_MSGID, __SANE_MSGID, DATE_TZ_NA, __USER_AGENT, __MOZILLA_USER_AGENT, __MIME_VERSION, __IN_REP_TO, __CT, __CT_TEXT_PLAIN, __CTE, __REPLYTO_SAMEAS_FROM_ADDY, __REPLYTO_SAMEAS_FROM_ACC, __FROM_DOMAIN_IN_ANY_CC1, __FROM_DOMAIN_IN_ANY_CC2, __REPLYTO_SAMEAS_FROM_DOMAIN, __DKIM_ALIGNS_1, __DKIM_ALIGNS_2, __ANY_URI, __URI_MAILTO, __URI_WITH_PATH, __URI_ENDS_IN_SLASH, __URI_NO_WWW, __CP_URI_IN_BODY, __SUBJ_ALPHA_NEGATE, SUPERLONG_LINE, __URI_IN_BODY, __URI_NOT_IMG, __MAIL_CHAIN, __FORWARDED_MSG, __BODY_NO_MAILTO, __NO_HTML_TAG_RAW, BODY_SIZE_1500_1599, [TRUNCATED], so=2010-03-03 19:42:08, dmn=2016-08-03-0138
Received-SPF: pass client-ip=129.22.103.194; envelope-from=chet.ramey@case.edu; helo=mpv3-2015.case.edu
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/05/01 15:06:37
X-ACL-Warn: Detected OS   = Linux 2.4.x-2.6.x [generic] [fuzzy]
X-Received-From: 129.22.103.194
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
X-Mailman-Original-Message-ID: <77a40392-8fad-553b-fa0a-ccaa60f82269@case.edu>
X-Mailman-Original-References: <1254402a-b6ad-4bb8-9831-7830b24c12f0@www.fastmail.com>
Xref: csiph.com gnu.bash.bug:16262

On 4/30/20 2:22 PM, Diffie wrote:

> Bash Version: 5.0
> Patch Level: 11
> Release Status: release
> 
> *Description:*
> It is possible to write/append arbitrary content to files from a restricted bash shell (with the privileges of the current user context) by tweaking the HISTFILE variable, or by specifying a filename to "history -[a][w]". This does not necessarily lead to a restriction bypass in all configurations, but does in a few that come to mind:
> 
> * If the user can write to their home directory they can append arbitrary code to .bashrc/other shell files. These shell files will execute the code without restrictions on subsequent runs of rbash (assuming rbash is not being run in posix mode, and that --norc is not being passed)
> * If the user is root they can trivially get an unrestricted shell by modifying /etc/passwd, etc.
> * If the cwd contains an executable script that the user can write to, they can append to the script with arbitrary code, then invoke this code from rbash: "hash -p executable_script mal_command ; mal_command" (this could be possible with an executable binary too, although would be a little more complex)
> * SSH authorized keys, various other configs.

These all fall under the category of "poorly configured restricted shell."

But it's not a bad idea to restrict history -arnw and make HISTFILE
readonly. Thanks for the report.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet@case.edu    http://tiswww.cwru.edu/~chet/