Bypassing terminal restrictions

5 min


Today, the Linux operating system can be found everywhere, from home user systems to servers and IoT devices. Often, using the terminal in these systems is a very risky undertaking, since incorrect command entry in it can lead to irreparable consequences. To avoid such situations, you can either use a terminal emulator or set up restrictions on command calls. In this article, we will look at popular tools for setting restrictions on the use of the terminal and how to bypass them.

How to reduce the number of teams?

For any task that the operating system performs, there is always a set of software to solve it. If the system administrator chose to limit the number of available commands for user input, then the following types of software are available to him:

  1. Software that allows you to set a standard hardcoded set of restrictions;

  2. A software that allows you to manually set a set of restrictions on entering commands depending on the conditions under which they were launched.

The first category includes the following shells:

rbash

rzsh

rksh

The second category includes:

lshell

rssh

The list of such tools is not limited to those given: on the vastness of the network, you can find a large number of such tools. In the article we will consider exactly those listed above. All actions and practices that will be described below, with minor changes, can be ported to other tools of these classes.

Let’s try to test applications to limit the available commands. Let’s take Kali Linux based on Debian 5.9 OS as the base system. Let us take as the first research tool rbash, you can find basic information regarding its work here here… Starts up rbash simple enough:

  1. Let’s create a directory for testing and go to it: mkdir test; cd test

  2. Let’s run the command rbash in the directory test… All standard restrictions described in the documentation will be applied to it, including the execution of the command cd… Let’s check:

    Indeed, restrictions began to apply. You can exit this mode only by closing the shell.

Let’s try to use another application – rzsh… Its setup is the same as the previous test subject. An interesting fact is to run rzsh or you don’t need to install it additionally, if you have zsh: just specify the flag at startup ‘-r’… A list of restrictions can be found here

Let’s start the restriction on the same directory that we created in the last experiment and also try to go to another directory:

It is worth mentioning that when you start the shell in this mode, if you have never used it before, there will be the same prompt on the screen as shown in the picture above. Using this menu, you can make more precise settings, but we will not change anything for now.

The restrictions cannot be circumvented: entering data that would allow you to open another directory or file fails. But what if you try to get around the restrictions you set?

What are the methods to circumvent the restrictions?

When using the applications described above or their analogs, you can ask a reasonable question: how safe is it to restrict the terminal? Can an attacker bypass the exposed restrictions? To answer these questions, you can try to apply the standard stages of researching systems or applications for security, that is, to conduct an independent penetration test (“thinking like a criminal”):

  1. Collection of information (Enumiration)

  2. Attack scripting

  3. Attack implementation

The first stage is the most important, it includes special studies that allow you to answer the questions:

  1. Which shell is used to set the limits?

  2. What commands does the shell support?

  3. What is the name of the operating system?

  4. What are the known vulnerabilities for the application or a specific part of it?

The list of questions can be changed or supplemented at will. Let’s try to apply this approach in relation to the instrument rbash… Suppose we are dealing with a certain system for which we do not have information about the presence of any restrictions in the terminal.

1. Collection of information. Here we will try to find out which version of the command entry restrictions setting is used.

In our case, the terminal itself, when trying to enter the command, said that it was running for restrictions rbash:

Let’s define what exactly we want to make of this limited environment. For example, we need to get into the “Desktop” directory.

2. Attack scenario. How to proceed to execute the jump command cd? Any system or mechanism gives up if you try to test functions that combine several subsystems or separate OS units, since it is not always possible to programmatically ensure correct interaction between them. In our case, executing the command cd Is the launch of a process in the operating system. Let’s try to do this using additional utilities. Even with restrictions from rbash the user has the opportunity to use harmless applications, for example vim:

3. Implementation of the attack To carry out an attack, you can try to use the functionality vimwhich can send commands to the OS: !

In an open file vim we enter the sequence of commands: :!bash

As a result, we get access to the terminal without restrictions:

Thus, to get around the restrictions, it was necessary to know the commands vim and be able to run it from a restricted command shell. The rest of the applications can be tested in a similar way. To conduct tests, we recommend that you familiarize yourself with this project: it will help in building additional attack scenarios.

Conclusion

Using any tool for setting limits in the operating system is always the risk of missing some boundary conditions that allow you to bypass the established limits. To protect against this, it is worthwhile to thoroughly examine the application that should be used to provide functions to the user, and make changes that will take into account most scenarios of using the system.


The article was prepared by OTUS expert – Alexander Kolesnikov on the eve of the start of the course “Administrator Linux. Professional “

We invite everyone to sign up for a free demo lesson “Methods and Features for Debugging Bash Shell Scripts.”


0 Comments

Leave a Reply