help-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Understanding Interpreter Spoofing

From: Kerin Millar
Subject: Re: Understanding Interpreter Spoofing
Date: Sat, 4 Dec 2021 20:06:17 +0000 
On Sat, 04 Dec 2021 18:08:12 +0000
iam_chunky_pie <iam_chunky_pie@protonmail.com> wrote:

> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> 
> On Saturday, December 4th, 2021 at 7:31 AM, Kerin Millar <kfm@plushkava.net> 
> wrote:
> 
> > On Sat, 04 Dec 2021 04:24:17 +0000
> >
> > iam_chunky_pie via help-bash@gnu.org wrote:
> >
> > > Hello everyone,
> >
> > Hello.
> >
> > > Noob here. I'm teaching myself bash and have come to a section regarding 
> > > interpreter spoofing. I feel confident (but could be wrong,) I understand 
> > > the concept based on what I've earned (I'll spare everyone a review.)
> > >
> > > However, I'm not able to reproduce the spoof? I've googled "interpreter 
> > > spoofing," "setuid root spoofing attacks" but all I get in return is the 
> > > theory on what it is and how to avoid it. Has this vulnerability been 
> > > fixed in bash or in Linux in general. I believe while trying to find an 
> > > answer on my own, I saw something to that effect that suid and sguid are 
> > > basically not allowed anymore in Linux and thought maybe something 
> > > similar applied to how the shell uses that magic line to run scripts. 
> > > Below is the sample script I tried to spoof and the commands I ran to try 
> > > to reproduce the spoof.
> >
> > Indeed, the Linux kernel ignores the setuid and setgid bits for binaries 
> > that are handled by the BINFMT_SCRIPT loader. See 
> > https://www.in-ulm.de/~mascheck/various/shebang/#setuid. The shell doesn't 
> > use the shebang at all. Instead, it is treated as a comment.
> 
> > Kerin Millar
> 
> Sorry still getting used to this style of posting and didn't notice your 
> comment with-in my original email body.  So if I understood you correctly, 
> because the shebang isn't used at all and only treated as a comment (when it 
> comes to executing scripts at least), this interpreter spoofing isn't 
> something that can be done anymore.  (At least as it related to the original 
> attack theory?)

The BINFMT_SCRIPT loader requires that the first two bytes be 0x23, 0x21 
("#!"). What remains is treated as the path of the interpreter and, 
potentially, one argument to be conveyed to the interpreter. Whether it 
discerns this optional argument or not, the pathname of the script is always 
the final argument. See 
https://github.com/torvalds/linux/blob/master/fs/binfmt_script.c for the exact 
methodology. From this, you may conclude that the name of the script has no 
bearing on the how the path of the interpreter is determined.

That being said, it is possible to name and invoke the script in such a way 
that its name is parsed by the specified interpreter as if it had been intended 
as an option argument. I posted an example in 
https://lists.gnu.org/archive/html/bug-bash/2021-11/msg00152.html. As concerns 
bash, I can't think of any way in which this would count as an exploit. At any 
rate, this eventuality can be defended against by defining the shebang as 
"#!/bin/bash --".

-- 
Kerin Millar
reply via email to
[Prev in Thread] Current Thread [Next in Thread]