On 12/21/17 2:03 PM, Drew Parker wrote:
> Bash Version: 4.4
> Patch Level: 12
> Release Status: release
>
> Description:
> In rbash v4.4.12 it is possible to escape the restricted shell by
> running a program in the current directory
> by setting the BASH_CMDS variable. This had currently been patched to
> exclude "/"
> characters. However, if the file is flagged as executable, no slash
> needs to be
> included, and the file with be executed.
`rbash' isn't especially useful in isolation. I'd argue that the game was
over when you ran `cp /bin/sh .', since that implies that PATH wasn't
sanitized (and may include `.', which would defeat the entire effort).
What's your proposed solution? I can see how verifying that the value
assigned is found in $PATH could fix a portion of the issue.
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU [email protected] http://tiswww.cwru.edu/~chet/
