[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

rbash escape vulnerability

From: Drew Parker
Subject: rbash escape vulnerability
Date: Thu, 21 Dec 2017 13:03:03 -0600

Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-unknown-linux-gnu'
-DCONF_VENDOR='unknown' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash'
-DSHELL -DHAVE_CONFIG_H   -I.  -I. -I./include -I./lib  -D_FORTIFY_SOURCE=2
-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong
-DSTANDARD_UTILS_PATH='/usr/bin' -DSYS_BASHRC='/etc/bash.bashrc'
-Wno-parentheses -Wno-format-security
uname output: Linux titan 4.14.6-1-ARCH #1 SMP PREEMPT Thu Dec 14 21:26:16
UTC 2017 x86_64 GNU/Linux
Machine Type: x86_64-unknown-linux-gnu

Bash Version: 4.4
Patch Level: 12
Release Status: release

    In rbash v4.4.12 it is possible to escape the restricted shell by
running a program in the current directory
    by setting the BASH_CMDS variable. This had currently been patched to
exclude "/"
    characters. However, if the file is flagged as executable, no slash
needs to be
    included, and the file with be executed.

    The break out is possible by placing a "sh" file in the current
directory. When I was
    working on this, I was able to simply run "cp /bin/sh ."

    From there, set the BASH_CMDS and execute it as such: BASH_CMDS[a]=sh;a

    This issue seems to have been addressed in v4.4, however it appears
that it was just
    implementing a filter to restrict the use of the "/" character.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]