lshell is a shell coded in Python, that lets you restrict a user's environment to limited sets of commands, choose to enable/disable any command over SSH (e.g. SCP, SFTP, rsync, etc.), log user's commands, implement timing restriction, and more.
GNU General Public License v3.0
435
stars
112
forks
source link
[PATCH]: Adding support for detecting shell escapes(i.e. dropping to unrestricted bash shell) #132
While doing SANS penetration testing on the lshell (the shell assigned to LDAP users), it was seen that we can run an AWK command to drop us into an unrestricted bash shell:
==== in limited shell for LDAP user “kam” ====
kam@hostA:~$ echo $SHELL
*\ forbidden path: /usr/bin/lshell
==== exploit vulnerability to drop into bash shell ====
kam@hostA:~$ awk 'BEGIN {system("/bin/sh")}'
sh-4.2$
==== now have unrestricted access to commands ====
sh-4.2$ ps
PID TTY TIME CMD
1943 pts/1 00:00:00 sh
1944 pts/1 00:00:00 awk
1945 pts/1 00:00:00 sh
1946 pts/1 00:00:00 sh
3779 pts/1 00:00:00 ps
18173 pts/1 00:00:00 cgcs_cli <<<<<<<<<<<<<< LDAP limited shell process
18174 pts/1 00:00:00 python
==== dropped shell can also access paths that were previously forbidden ====
sh-4.2$ ls -lrta /etc/lshell.conf
-rw-r--r-- 1 root root 3539 Jan 26 16:41 /etc/lshell.conf
The patch hardens check_secure() and check_path() pathways to ensure that a forbidden command/path is not nested within an otherwise permissible command/path(such as awk). The AWK case is special in particular since AWK itself is an interpretor. A hacker may trivially develop an awk script to drop out of lshell. The fix also sanitizes bash "source" scripts and recognizes awk scripts and forbids them altogether.
While doing SANS penetration testing on the lshell (the shell assigned to LDAP users), it was seen that we can run an AWK command to drop us into an unrestricted bash shell:
==== in limited shell for LDAP user “kam” ==== kam@hostA:~$ echo $SHELL *\ forbidden path: /usr/bin/lshell
==== exploit vulnerability to drop into bash shell ==== kam@hostA:~$ awk 'BEGIN {system("/bin/sh")}' sh-4.2$
==== now have unrestricted access to commands ==== sh-4.2$ ps PID TTY TIME CMD 1943 pts/1 00:00:00 sh 1944 pts/1 00:00:00 awk 1945 pts/1 00:00:00 sh 1946 pts/1 00:00:00 sh 3779 pts/1 00:00:00 ps 18173 pts/1 00:00:00 cgcs_cli <<<<<<<<<<<<<< LDAP limited shell process 18174 pts/1 00:00:00 python
==== dropped shell can also access paths that were previously forbidden ==== sh-4.2$ ls -lrta /etc/lshell.conf -rw-r--r-- 1 root root 3539 Jan 26 16:41 /etc/lshell.conf
The patch hardens check_secure() and check_path() pathways to ensure that a forbidden command/path is not nested within an otherwise permissible command/path(such as awk). The AWK case is special in particular since AWK itself is an interpretor. A hacker may trivially develop an awk script to drop out of lshell. The fix also sanitizes bash "source" scripts and recognizes awk scripts and forbids them altogether.
The attached patch has been applied in our code base and is being shared Upstream: lshell-shell-escape-check.patch.txt