[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Output redirection to sockets possible within rbash
From: |
Blake Burkhart |
Subject: |
Output redirection to sockets possible within rbash |
Date: |
Sat, 3 Feb 2018 11:20:25 -0600 |
Within rbash, attempting to open a socket using /dev/tcp with <> fails as
expected due to output redirection being disabled:
rbash-4.4$ exec 3<>/dev/tcp/www.gnu.org/80
rbash: /dev/tcp/www.gnu.org/80: restricted: cannot redirect output
However, I noticed that output redirection is not disabled on open file
descriptors in rbash:
rbash-4.4$ echo foo >&1
foo
Additionally, even if a socket is opened only for reading, bash allows
writing to it. (This is not true for normal files, attempting to a file
opened read only fails with "write error: Bad file descriptor" as expected.)
Combining these issues, within rbash we can open a socket for reading, and
perform full read write I/O on it:
exec 3</dev/tcp/www.gnu.org/80
echo -e "GET /software/bash/ HTTP/1.1\r\nhost: www.gnu.org\r\nConnection:
close\r\n\r\n" >&3
cat <&3
This appears to be a bug because normally output redirection is disabled
rbash.
--
Blake Burkhart
- Output redirection to sockets possible within rbash,
Blake Burkhart <=