We’ve always been a fans of wargames. Not the movie (well, also the movie) but I’m referring to hacking wargames. There are several formats but usually you have access to an initial shell account somewhere, which is level0, and you have to exploit some flaw in the system to manage to get level1 permissions and so forth. Almost always there’s a level where you have to exploit a legitimate binary (with some shady permissions) that does more than what the regular user thinks.
In the case of CVE-2017-8386, less
is more.
[Timo Schmid] details how the git-shell
, a restricted shell meant to be used as the upstream peer in a git remote session over a ssh tunnel, can be abused in order to achieve arbitrary file read, directory listing and somewhat restricted file write. The git-shell
basic idea is to restrict the allowed commands in an ssh session to the ones required by git (git-receive-pack, git-upload-pack, git-upload-archive). The researcher realized he could pass parameters to these commands, like the flag –help:
$ ssh git@remoteserver "git-receive-pack '--help'" GIT-RECEIVE-PACK(1) Git Manual GIT-RECEIVE-PACK(1) NAME git-receive-pack - Receive what is pushed into the repository [...]
What the flag does is make the git command open the man page of git, which is passed on to a pager program, usually less
. And this is where it get interesting. The less
command, if running interactively, can do several things you would expect like searching for text, go to a line number, scroll down and so on. What it can also do is open a new file (:e), save the input to a file (s) and execute commands (!). To make it run interactively, you have to force the allocation of a PTY in ssh
like so:
$ ssh -t git@remoteserver "git-receive-pack '--help'" GIT-RECEIVE-PACK(1) Git Manual GIT-RECEIVE-PACK(1) NAME git-receive-pack - Receive what is pushed into the repository Manual page git-receive-pack(1) line 1 (press h for help or q to quit)
Press h for help and have fun. One caveat is that usual installations the code execution will not really execute arbitrary commands, since the current running login shell is the git-shell
, restricted to only some white listed commands. There are, however, certain configurations where this might happen, such as maintaining bash
or sh
as a login shell and limit the user in ways that they can only use git
(such as in shared environments without root access). You can see such example here.
The quickest solution seems to be to enable the no-pty
flag server-side, in the sshd
configuration. This prevents clients from requesting a PTY so less
won’t run in an interactive mode.
$ man less LESS(1) General Commands Manual LESS(1) NAME less - opposite of more
Ironic, isn’t it?