[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
rbash escape vulnerability
|
From: |
Drew Parker |
|
Subject: |
rbash escape vulnerability |
|
Date: |
Thu, 21 Dec 2017 13:03:03 -0600 |
Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-unknown-linux-gnu'
-DCONF_VENDOR='unknown' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash'
-DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib -D_FORTIFY_SOURCE=2
-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong
-DDEFAULT_PATH_VALUE='/usr/local/sbin:/usr/local/bin:/usr/bin'
-DSTANDARD_UTILS_PATH='/usr/bin' -DSYS_BASHRC='/etc/bash.bashrc'
-DSYS_BASH_LOGOUT='/etc/bash.bash_logout' -DNON_INTERACTIVE_LOGIN_SHELLS
-Wno-parentheses -Wno-format-security
uname output: Linux titan 4.14.6-1-ARCH #1 SMP PREEMPT Thu Dec 14 21:26:16
UTC 2017 x86_64 GNU/Linux
Machine Type: x86_64-unknown-linux-gnu
Bash Version: 4.4
Patch Level: 12
Release Status: release
Description:
In rbash v4.4.12 it is possible to escape the restricted shell by
running a program in the current directory
by setting the BASH_CMDS variable. This had currently been patched to
exclude "/"
characters. However, if the file is flagged as executable, no slash
needs to be
included, and the file with be executed.
Repeat-By:
The break out is possible by placing a "sh" file in the current
directory. When I was
working on this, I was able to simply run "cp /bin/sh ."
From there, set the BASH_CMDS and execute it as such: BASH_CMDS[a]=sh;a
Fix:
This issue seems to have been addressed in v4.4, however it appears
that it was just
implementing a filter to restrict the use of the "/" character.
- rbash escape vulnerability,
Drew Parker <=