[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Output redirection to sockets possible within rbash

From: Blake Burkhart
Subject: Output redirection to sockets possible within rbash
Date: Sat, 3 Feb 2018 11:20:25 -0600

Within rbash, attempting to open a socket using /dev/tcp with <> fails as
expected due to output redirection being disabled:

rbash-4.4$ exec 3<>/dev/tcp/www.gnu.org/80
rbash: /dev/tcp/www.gnu.org/80: restricted: cannot redirect output

However, I noticed that output redirection is not disabled on open file
descriptors in rbash:

rbash-4.4$ echo foo >&1

Additionally, even if a socket is opened only for reading, bash allows
writing to it. (This is not true for normal files, attempting to a file
opened read only fails with "write error: Bad file descriptor" as expected.)

Combining these issues, within rbash we can open a socket for reading, and
perform full read write I/O on it:

exec 3</dev/tcp/www.gnu.org/80
echo -e "GET /software/bash/ HTTP/1.1\r\nhost: www.gnu.org\r\nConnection:
close\r\n\r\n" >&3
cat <&3

This appears to be a bug because normally output redirection is disabled

Blake Burkhart

reply via email to

[Prev in Thread] Current Thread [Next in Thread]