help-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Understanding Interpreter Spoofing

From: iam_chunky_pie
Subject: Re: Understanding Interpreter Spoofing
Date: Sat, 04 Dec 2021 17:59:36 +0000 
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Saturday, December 4th, 2021 at 7:31 AM, Kerin Millar <kfm@plushkava.net> 
wrote:

> On Sat, 04 Dec 2021 04:24:17 +0000
>
> iam_chunky_pie via help-bash@gnu.org wrote:
>
> > Hello everyone,
>
> Hello.
>
> > Noob here. I'm teaching myself bash and have come to a section regarding 
> > interpreter spoofing. I feel confident (but could be wrong,) I understand 
> > the concept based on what I've earned (I'll spare everyone a review.)
> >
> > However, I'm not able to reproduce the spoof? I've googled "interpreter 
> > spoofing," "setuid root spoofing attacks" but all I get in return is the 
> > theory on what it is and how to avoid it. Has this vulnerability been fixed 
> > in bash or in Linux in general. I believe while trying to find an answer on 
> > my own, I saw something to that effect that suid and sguid are basically 
> > not allowed anymore in Linux and thought maybe something similar applied to 
> > how the shell uses that magic line to run scripts. Below is the sample 
> > script I tried to spoof and the commands I ran to try to reproduce the 
> > spoof.
>
> Indeed, the Linux kernel ignores the setuid and setgid bits for binaries that 
> are handled by the BINFMT_SCRIPT loader. See 
> https://www.in-ulm.de/~mascheck/various/shebang/#setuid. The shell doesn't 
> use the shebang at all. Instead, it is treated as a comment.
>
> > Sampe Script:
> >
> > #!/bin/bash
> >
> > echo "did you pop a shell!"
> >
> > Commands:
> >
> > chmod 4750 script
>
> As such, this mode won't affect how the script is executed by the kernel.
>
> > mv script ~/-i
> >
> > oldPATH=$PATH
> >
> > PATH=.
> >
> > -i
>
> In this instance, ./-i as conveyed as an argument to the interpreter 
> (/bin/bash). Therefore, it won't be treated as an option.
>
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Kerin Millar


Thanks.  I thought as such but I can't get any of the commands to accept -i as 
a file argument.  I've tried:

    mv script '-i'
    mv script "-i"

    cd newdir
    ln ../script -i --force

None work.  The latter creates the hard link with the same name - "script", not 
-i.  I can't figure out whats missing.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]