May 13, 2011

Breaking Out of "Jail" : Restricted Shell

No, I am not writing a sequel for the show "Prison Break", though I would love to see it come back to the screens :).

If you have never used a Linux or Unix-like terminal to administer a computer (yeah, it's a geeky post), you better stop reading now. The purpose of this post is to give some ideas on ways to get out of restricted shells on Linux systems.

- "But what is this restricted shell thing you are talking about?".
I assume as a Linux user (if you are not, you should have stopped reading by now :D), you know that each time a terminal is launched, a special program is started to read your commands: The Shell. There exist many shells (Boune shell or bash, Korne Shell or kshell, and more) and they are very powerful as you might expect. However, mostly in production environments where multiple users can remotely access a shell of a machine, it is good practice for administrators to apply restrictions on the commands that a normal user can execute on the host with the help of restricted shells (a good example is rbash and this post How to restrict access with rbash describe a way to implement it).

- "So how do I break out of this restrictive "prison"?", two words: Shell Escapes.
Many command-line applications provide a way to fall back into a shell, restrictive or not. The one I will mostly talk about is offered by vi/vim the text editor, since it can permit you to access an unrestricted shell following these instructions:

1. Once in vi/vim, type ESC, then:
  • Type “:set shell=/bin/bash
  • Type “:shell” and VOILA!!!!! 

Unfortunately, vi/vim also has a restricted version rvi/rvim in which this trick will not work. If you are stuck with rvi, you can try the following methods to access vi with other applications:

2. Using the text-based browser lynx:
  • open a local file with lynx (e.g.: $ lynx /etc/passwd)
  • type “o” to open the options; change the second option (Editor) to “/bin/vi” and save the changes to go back at the main page.
  • Type “e” to edit the file with vi
  • Follow instructions in 1.
3. Using the mail (local email client) command:
  • $ set VISUAL=/bin/vi
  • $ mail -s "subject" "destination email"
  • Type "~v" on the next line to edit the mail with vi.
  • Follow the instructions in 1.
There are various other ways to obtain the same result, this was just a the tip of the iceberg.

UPDATE: Guess what?? The browser Elinks is also vulnerable to shell escapes. This is based on the feature (hacking feature?) allowing users to edit the contents of text boxes on a webpage using external editors (i.e. using other applications on the machine... Yayyy vi/vim). All you have to do is setup the $EDITOR environment variable with "/bin/vi" and the rest is history... Wait you need more details?? OK:

  • $ set EDITOR=/bin/vi
  • Open a webpage containing a text box (should be easy to find on the Internet. If you can not, well lmgtfy!!!).
  • Navigate to the text-box area and Enter to edit, the press F4 (or whatever is used in the configurations) to edit the text box externally, and you should see something familiar :=)

No comments:

Post a Comment

Search This Blog