Re: Potential restricted bash escape by modifying history file

[Chet Ramey]

On 4/30/20 2:22 PM, Diffie wrote:

> Bash Version: 5.0
> Patch Level: 11
> Release Status: release
> 
> *Description:*
> It is possible to write/append arbitrary content to files from a restricted 
> bash shell (with the privileges of the current user context) by tweaking the 
> HISTFILE variable, or by specifying a filename to "history -[a][w]". This 
> does not necessarily lead to a restriction bypass in all configurations, but 
> does in a few that come to mind:
> 
> * If the user can write to their home directory they can append arbitrary 
> code to .bashrc/other shell files. These shell files will execute the code 
> without restrictions on subsequent runs of rbash (assuming rbash is not being 
> run in posix mode, and that --norc is not being passed)
> * If the user is root they can trivially get an unrestricted shell by 
> modifying /etc/passwd, etc.
> * If the cwd contains an executable script that the user can write to, they 
> can append to the script with arbitrary code, then invoke this code from 
> rbash: "hash -p executable_script mal_command ; mal_command" (this could be 
> possible with an executable binary too, although would be a little more 
> complex)
> * SSH authorized keys, various other configs.

These all fall under the category of "poorly configured restricted shell."

But it's not a bad idea to restrict history -arnw and make HISTFILE
readonly. Thanks for the report.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet@case.edu    http://tiswww.cwru.edu/~chet/