bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: rbash escape vulnerability


From: Chet Ramey
Subject: Re: rbash escape vulnerability
Date: Fri, 22 Dec 2017 10:30:38 -0500
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.5.0

On 12/21/17 2:03 PM, Drew Parker wrote:

> Bash Version: 4.4
> Patch Level: 12
> Release Status: release
> 
> Description:
>     In rbash v4.4.12 it is possible to escape the restricted shell by
> running a program in the current directory
>     by setting the BASH_CMDS variable. This had currently been patched to
> exclude "/"
>     characters. However, if the file is flagged as executable, no slash
> needs to be
>     included, and the file with be executed.

`rbash' isn't especially useful in isolation. I'd argue that the game was
over when you ran `cp /bin/sh .', since that implies that PATH wasn't
sanitized (and may include `.', which would defeat the entire effort).

What's your proposed solution? I can see how verifying that the value
assigned is found in $PATH could fix a portion of the issue.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    address@hidden    http://tiswww.cwru.edu/~chet/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]