help-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Understanding Interpreter Spoofing

From: Alex fxmbsw7 Ratchev
Subject: Re: Understanding Interpreter Spoofing
Date: Sat, 4 Dec 2021 19:04:48 +0100 
mv -- file1 -opt1

note the -- turns off -opt parsing

On Sat, Dec 4, 2021, 19:00 iam_chunky_pie <iam_chunky_pie@protonmail.com>
wrote:

> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
> On Saturday, December 4th, 2021 at 7:31 AM, Kerin Millar <
> kfm@plushkava.net> wrote:
>
> > On Sat, 04 Dec 2021 04:24:17 +0000
> >
> > iam_chunky_pie via help-bash@gnu.org wrote:
> >
> > > Hello everyone,
> >
> > Hello.
> >
> > > Noob here. I'm teaching myself bash and have come to a section
> regarding interpreter spoofing. I feel confident (but could be wrong,) I
> understand the concept based on what I've earned (I'll spare everyone a
> review.)
> > >
> > > However, I'm not able to reproduce the spoof? I've googled
> "interpreter spoofing," "setuid root spoofing attacks" but all I get in
> return is the theory on what it is and how to avoid it. Has this
> vulnerability been fixed in bash or in Linux in general. I believe while
> trying to find an answer on my own, I saw something to that effect that
> suid and sguid are basically not allowed anymore in Linux and thought maybe
> something similar applied to how the shell uses that magic line to run
> scripts. Below is the sample script I tried to spoof and the commands I ran
> to try to reproduce the spoof.
> >
> > Indeed, the Linux kernel ignores the setuid and setgid bits for binaries
> that are handled by the BINFMT_SCRIPT loader. See
> https://www.in-ulm.de/~mascheck/various/shebang/#setuid. The shell
> doesn't use the shebang at all. Instead, it is treated as a comment.
> >
> > > Sampe Script:
> > >
> > > #!/bin/bash
> > >
> > > echo "did you pop a shell!"
> > >
> > > Commands:
> > >
> > > chmod 4750 script
> >
> > As such, this mode won't affect how the script is executed by the kernel.
> >
> > > mv script ~/-i
> > >
> > > oldPATH=$PATH
> > >
> > > PATH=.
> > >
> > > -i
> >
> > In this instance, ./-i as conveyed as an argument to the interpreter
> (/bin/bash). Therefore, it won't be treated as an option.
> >
> >
> ---------------------------------------------------------------------------------------------------------------------------------
> >
> > Kerin Millar
>
>
> Thanks.  I thought as such but I can't get any of the commands to accept
> -i as a file argument.  I've tried:
>
>     mv script '-i'
>     mv script "-i"
>
>     cd newdir
>     ln ../script -i --force
>
> None work.  The latter creates the hard link with the same name -
> "script", not -i.  I can't figure out whats missing.
>
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]