[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: rbash escape vulnerability
From: |
Chet Ramey |
Subject: |
Re: rbash escape vulnerability |
Date: |
Fri, 22 Dec 2017 10:30:38 -0500 |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 |
On 12/21/17 2:03 PM, Drew Parker wrote:
> Bash Version: 4.4
> Patch Level: 12
> Release Status: release
>
> Description:
> In rbash v4.4.12 it is possible to escape the restricted shell by
> running a program in the current directory
> by setting the BASH_CMDS variable. This had currently been patched to
> exclude "/"
> characters. However, if the file is flagged as executable, no slash
> needs to be
> included, and the file with be executed.
`rbash' isn't especially useful in isolation. I'd argue that the game was
over when you ran `cp /bin/sh .', since that implies that PATH wasn't
sanitized (and may include `.', which would defeat the entire effort).
What's your proposed solution? I can see how verifying that the value
assigned is found in $PATH could fix a portion of the issue.
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet@case.edu http://tiswww.cwru.edu/~chet/