bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] bash: add socket server support


From: Piotr Grzybowski
Subject: Re: [PATCH] bash: add socket server support
Date: Thu, 14 Nov 2013 06:50:33 +0100

Hullo Joel,

 I can think of an attack, just provide me with ip address of the host
:) and a root account password and login :)
 I agree that most systems have other abilities to do the (almost)
same, but yet, all systems (that is to say many more than have nc)
have bash, and while roots on those will expect netcat to be able to
open listen sockets they do not necessarily expect bash to do the
same.
 My main point is: this patch means that every user that has access to
who-knows-how restricted shell can open listen sockets, and unless
someone thought of using grsecurity to deny access to bind(2) it is
unrestricted.
 This feature should at least be switchable, or otherwise restricted.

sincerely,
pg


On Wed, Nov 13, 2013 at 3:08 PM, Joel Martin <address@hidden> wrote:
> Hi Piotr,
>
> Thanks for the feedback. I don't believe this functionality changes the
> attack surface. Most systems with bash also have nc/netcat or an equivalent
> program which can do the same thing. Even the nc version in busybox has
> listen capability. In fact, if you can create a file with arbitrary content
> and mark it as executable then you have access to the system calls needed to
> listen on a socket. All existing security permissions still apply (e.g.
> ports < 1024 requiring elevated privilege, SELinux, etc).
>
> Do you have a specific attack or vector that is enabled or made worse by
> this addition?
>
> Regards,
>
> Joel Martin (kanaka)
>
>
> On Wed, Nov 13, 2013 at 1:35 AM, Piotr Grzybowski <address@hidden>
> wrote:
>>
>> Hi Everyone, hi Joel,
>>
>>  the idea is nice, and I can really see that it is useful, but I would
>> be extremely careful with introducing those kind of changes, it can be
>> easily interpreted as "backdoor feature", that is: from security point
>> of view it could be a disaster.
>>
>> cheers,
>> pg
>>
>>
>>
>> On Tue, Nov 12, 2013 at 10:02 PM, Joel Martin <address@hidden>
>> wrote:
>> > Currently, an outbound socket connection (client) can be created using
>> > the
>> > syntax:
>> >
>> > exec 5<> /dev/tcp/HOST/PORT
>> >
>> > This patch implements support for accepting incoming connections
>> > (server)
>> > using a slightly different syntax:
>> >
>> > exec 6<> /dev/tcp/HOST/:PORT   # note the colon
>> >
>> > The listen/accept call will block until a connection is received and it
>> > will be bound to the redirection.
>> >
>> > Included in the patch is a small test that has an example of usage. I've
>> > also attach a minimal web server that leverages this functionality (pure
>> > bash except for a call to wc and cat).
>> >
>> > Please include me in Cc since I am not on the list.
>> >
>> > Thanks,
>> >
>> > Joel Martin (kanaka)
>
>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]