[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Understanding Interpreter Spoofing
|
From: |
Kerin Millar |
|
Subject: |
Re: Understanding Interpreter Spoofing |
|
Date: |
Sat, 4 Dec 2021 14:31:26 +0000 |
On Sat, 04 Dec 2021 04:24:17 +0000
iam_chunky_pie via <help-bash@gnu.org> wrote:
> Hello everyone,
Hello.
>
> Noob here. I'm teaching myself bash and have come to a section regarding
> interpreter spoofing. I feel confident (but could be wrong,) I understand the
> concept based on what I've earned (I'll spare everyone a review.)
>
> However, I'm not able to reproduce the spoof? I've googled "interpreter
> spoofing," "setuid root spoofing attacks" but all I get in return is the
> theory on what it is and how to avoid it. Has this vulnerability been fixed
> in bash or in Linux in general. I believe while trying to find an answer on
> my own, I saw something to that effect that suid and sguid are basically not
> allowed anymore in Linux and thought maybe something similar applied to how
> the shell uses that magic line to run scripts. Below is the sample script I
> tried to spoof and the commands I ran to try to reproduce the spoof.
Indeed, the Linux kernel ignores the setuid and setgid bits for binaries that
are handled by the BINFMT_SCRIPT loader. See
https://www.in-ulm.de/~mascheck/various/shebang/#setuid. The shell doesn't use
the shebang at all. Instead, it is treated as a comment.
>
> Sampe Script:
> #!/bin/bash
> echo "did you pop a shell!"
>
> Commands:
> chmod 4750 script
As such, this mode won't affect how the script is executed by the kernel.
> mv script ~/-i
> oldPATH=$PATH
> PATH=.
> -i
In this instance, ./-i as conveyed as an argument to the interpreter
(/bin/bash). Therefore, it won't be treated as an option.
--
Kerin Millar